Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Health Insurance Portability & Accountability Act (HIPAA)
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
OCR HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices:
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Implementing and Enforcing the HIPAA Privacy Rule.
ARRA/HITECH Update HIPAA COW Webinar February 23, 2010 Welcome! Everyone please mute your phone at this time by pressing *6 This session is being recorded.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
From HIPAA to HITECH OMH Briefing.
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
Breach Notification Protected Health Information Under ARRA/HITECH HIPAA COW Fall Meeting September 11, 2009.
Health Information Technology for Economic and Clinical Health Act (HITECH)
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
HIPAA Privacy Overview January 2011 Stacy H. Barrow January 2011 © Proskauer1.
CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Configuring Electronic Health Records Privacy and Security in the US Lecture c This material (Comp11_Unit7c) was developed by Oregon Health & Science University.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.
WSOPP HIPAA Compliance
Enforcement, Business Associates and Breach Notification. Oh my!
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Chapter 3: IRS and FTC Data Security Rules
HITECH’s Impact on Research
Presentation transcript:

Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq. Security Breach Notification HITECH & New Jersey Law

Security Breach Notification © 2009 Fox Rothschild HITECH Breach Notification Laws  § Health Information Technology for Economic and Clinical Health Act (“HITECH”) (February 17, 2009).  Breach Notification Guidance and RFI (74 FR 19006, April 17, 2009).  Breach Notification for Unsecured Protected Health Information – HHS’ Interim Final Rule (74 FR 42740, August 24, 2009).  FTC also released rules for “Vendors” of PHRs.

Security Breach Notification © 2009 Fox Rothschild HITECH Breach Notification Laws  Effective date is September 23, 2009; however, HHS will not enforce compliance with penalty assessments until February 22,  The “Harm” threshold controversy - Letter from Congress to HHS Secretary re: repeal “harm” threshold (October 1, 2009). - Letter from AHA to HHS Secretary re: “harm” threshold should remain (October 23, 2009).  Comments to Interim Final Rule were due October 23,  Remains to be seen if Interim Final Rule will be modified….

Security Breach Notification © 2009 Fox Rothschild New Jersey Breach Notification Law  New Jersey Identity Theft Prevention Act, NJSA. 56:8-161 et seq. (“NJITPA”) (effective January 1, 2006).  NJITPA Rule, NJAC 13:45F, reserved Subchapter 3 - Breach of Security Provisions (adopted April 7, 2008).  Notice of Notice of Pre-Proposal - Identity Theft, Written Security Programs and Violations (issued December 15, 2008). Comments were due February 13, No final rule yet…….

Security Breach Notification © 2009 Fox Rothschild HITECH-State Law Preemption With regard to Security Breach Notification requirements, HHS specifically stated in its Interim Final Rule: “covered entities will need to analyze relevant State laws with respect to this regulation to understand the interaction and apply this preemption standard appropriately.” 74 FR at

Security Breach Notification © 2009 Fox Rothschild HITECH Preemption Standard § of HITECH: A provision or requirement under HITECH will supersede any contrary provision of a state law except if the provision of State Law: (a) is a provision the Secretary determines— (i) is necessary: to prevent fraud and abuse; or to ensure appropriate State regulation of insurance and health plans; or for State reporting on health care delivery or costs; or for other purposes; or (ii) addresses controlled substances; or (b) relates to the privacy of individually identifiable health information and imposes a more stringent standard or requirement than HITECH.

Security Breach Notification © 2009 Fox Rothschild Compliance Checklist  Complete preemption analysis of security breach notification standards under HITECH and HHS Interim Final Rule, and NJITPA  Develop and implement Security Breach Policies and Procedures.  Develop Risk Assessment for documenting “Harm” assessments.  Develop and Use a “Notification Letter” for notifying individuals.  Assign a “1-800” number to receive questions about breaches.  Revise Business Associate Agreements.  Revise HIPAA policies and procedures.  Train Employees.  Enforce Sanctions.

Security Breach Notification © 2009 Fox Rothschild Complete Preemption Analysis  Compare Definitions of Terms, Scope of Applicability and Procedural Requirements.  Detail intensive legal analysis.  Any two items that are not “contrary to” one another need to both be followed.

Security Breach Notification © 2009 Fox Rothschild Who Who Does the Law Apply To? HITECHNew Jersey  Covered Entities  Business Associates  Businesses  Public Entities

Security Breach Notification © 2009 Fox Rothschild What What Info Is Covered? HITECHNew Jersey  “Protected Health Information” (almost everything, excluding de- identified data, and Limited Data Sets minus DOB and Zip).  Broader.  “Personal Information” (only individual’s name or first initial and last name linked with 3 pieces of data).  Much Narrower.

Security Breach Notification © 2009 Fox Rothschild Medium What Medium is Covered? HITECHNew Jersey  Electronic.  Paper.  Oral.  Electronic only!

Security Breach Notification © 2009 Fox Rothschild Breach What Constitutes a “Breach” HITECHNew Jersey compromises  Unauthorized acquisition, access, use or disclosure [i.e., in violation of Privacy Rule] of [unsecured] PHI which compromises the security of PHI.  There is a significant “Risk of Harm.” [controversial] compromises  Unauthorized access to electronic files, media or data containing [unsecured] PI that compromises the security, confidentiality or integrity of such PI.  “Misuse” reasonably possible.

Security Breach Notification © 2009 Fox Rothschild Secured “Secured” PHI HITECHNew Jersey  Unusable, unreadable or indecipherable by: - Encryption - Destruction - Per NIST’s standards  Firewalls, Access Controls, Redaction are NOT enough.  Encryption  “Any other method or technology that renders the PI unreadable or unusable.” [“any other method” if not recognized under HITECH would be preempted]

Security Breach Notification © 2009 Fox Rothschild Unauthorized Unauthorized Use or Access HITECHNew Jersey  Violates the Privacy Rule.  Not specifically defined.

Security Breach Notification © 2009 Fox Rothschild Exceptions What are the Exceptions? HITECHNew Jersey  “Unintentional.”  “Inadvertent.”  “Not Retained.”  “Good Faith Acquisition” by employee or agent.  Legitimate business purpose.  Not further used or disclosed.

Security Breach Notification © 2009 Fox Rothschild HITECH Breach Exceptions 1.UNINTENTIONAL acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or a BA, if in good faith and within the scope of authority and does not result in further use or disclosure in violation of the Privacy Rule. 2.INADVERTENT disclosures by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same CE or BA or OHCA in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in violation of the Privacy Rule 3.RETENTION NOT POSSIBLE although disclosure of PHI was to an unauthorized person. CE or BA must have a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Security Breach Notification © 2009 Fox Rothschild Know When You Are Deemed to “Know” HITECHNew Jersey  Actual knowledge of the Breach.  By exercising reasonable diligence “should have known” about the Breach.  Imputed knowledge of employees and agents!!  Actual discovery of the Breach.  Upon receipt of notice regarding the breach.

Security Breach Notification © 2009 Fox Rothschild Potential Required Notices HITECHNew Jersey  Individual  HHS  Media  Individual  Consumer Reporting Agencies  Division of State Police

Security Breach Notification © 2009 Fox Rothschild Timing of Individual Notice HITECHNew Jersey No unreasonable delay 60 days  No unreasonable delay, in no case longer than 60 days.  Delay for Law Enforcement only if receive written communication that notice to individuals must be delayed for specific time period, or if oral, then document and delay no more than 30 days.  Most expedient time possible, without unreasonable delay.  Must wait for law enforcement to make determination re: if investigation would be compromised (preempted, if causes delay more then 30 days).

Security Breach Notification © 2009 Fox Rothschild Form of Individual Notice HITECHNew Jersey  U.S. Mail.  only if individual has specified.  Substitute Notice only if: - Out of date info - Lack info for 10 or more Individuals - Urgent Notice (i.e. by phone) if possible imminent misuse.  First class mail   Substitute notice if: - cost of written notice would exceed $250K (preempted) - class of persons to be notified exceeds 500,000 (preempted)

Security Breach Notification © 2009 Fox Rothschild Content of Individual Notice HITECHNew Jersey  Brief description of what happened.  What type of unsecured PHI was involved.  Steps for individual to take.  What is being done to investigate and mitigate.  Contact information, including toll-free number, , Website or postal.  Description of categories of PI involved (e.g., SS#s).  Information about FTCs website and its toll free number.  Steps for individual to take.  Steps being taken to prevent further breaches.  Toll-free number or other means of contact for further info.

Security Breach Notification © 2009 Fox Rothschild Notice to Agencies HITECHNew Jersey Secretary of HHS  Less than 500 Individuals - Annual Log must be submitted to Secretary of HHS of all security breaches involving less than 500 individuals.  500 or More Individuals – Any breach involving 500+ individuals must be immediately reported to Secretary of HHS. HHS will post on their website. Dept. of Consumer Affairs,  Less than 1000 Individuals - Breaches where notices given to individuals shall be documented and made available for inspection by Dept. of Consumer Affairs, upon request.   1000 or more Individuals – must notify Consumer Reporting Agencies.

Security Breach Notification © 2009 Fox Rothschild Notice to HHS: 500 or More  Without unreasonable delay.  HHS website is set up for CE to submit notice at  The notice must be submitted electronically by following the HHS link and completing all information required on the breach notification form.  If a CE submitted a breach notification form to HHS and then discovers additional information to report, CE may submit an additional form, checking the appropriate box to signal that it is an updated submission.

Security Breach Notification © 2009 Fox Rothschild Notice to HHS: < 500  Annual Notice must be submitted within 60 days of the end of the calendar year in which the breaches occurred.  Notifications of all breaches occurring after the effective date in 2009 must be submitted by March 1,  The notice must be submitted electronically by following the HHS link  A separate form must be completed for every breach that has occurred during the calendar year.

Security Breach Notification © 2009 Fox Rothschild Notice to Media Outlets HITECHNew Jersey  If a security breach involves the PHI of 500 or More Individuals, – “prominent media outlets” serving the State or jurisdiction of such 500 or more Individuals must be provided.  No equivalent.

Security Breach Notification © 2009 Fox Rothschild Notices to Law Enforcement HITECHNew Jersey  There is no mandatory notification of law enforcement under HITECH.  In advance of providing any Individual with notice, the security breach must be reported to the New Jersey Division of State Police.

Security Breach Notification © 2009 Fox Rothschild Develop and Implement Security Breach Policies and Procedures:  Auditing  Reporting Procedures  Training  Business Associate  Investigating  Risk Assessment (evaluating “Harm”)  Decision Tree  Notifying Affected Individuals  Notifying Law Enforcement  Notifying federal and state agencies  Mitigating Harm  Corrective Action

Security Breach Notification © 2009 Fox Rothschild Other Items on Checklist  Documenting “Harm” assessments  Notification Letter” for notifying individuals  “1-800” to receive questions about security breaches.  Revise Business Associate Agreements - define procedures for security breach notification; allocate responsibility and liability for: 1.failure to detect breach, 2.failure to notify, 3.costs associated with fault, 4.liability for penalties and other damages.  Revise HIPAA policies and procedures (e.g., mitigation).  Train Employees (very important due to imputed knowledge)  Enforce Sanctions.

Security Breach Notification © 2009 Fox Rothschild Questions? Helen Oscislawski, Esq. Attorney at Law Fox Rothschild LLP 997 Lenox Drive, Bldg. 3 P.O. Box 5231 Princeton, NJ direct View my blog at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.