A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

Slides:



Advertisements
Similar presentations
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Advertisements

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health information security & compliance
Health Insurance Portability & Accountability Act (HIPAA)
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
From HIPAA to HITECH OMH Briefing.
Health Information Technology for Economic and Clinical Health Act (HITECH)
HIPAA PRIVACY AND SECURITY AWARENESS.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO
Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
Final HIPAA-HITECH Rules, Cybersecurity, and Privacy Dino TsibourisMehmet Munur (614) (614)
CH 10. Confidentiality A. Confidentiality about sensitive medical information is necessary to preserve the patient’s dignity. B. In order to receive payment.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
Company Proprietary and Confidential Texas Association of Community Health Centers - Proprietary and Confidential Fourth and Goal: Score with Meaningful.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.
Protection of CONSUMER information
Responding to Intrusions
Chapter 3: IRS and FTC Data Security Rules
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Red Flags Rule An Introduction County College of Morris
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
HITECH’s Impact on Research
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Privacy and Security Update - 5 Years After Implementation
Anatomy of a Common Cyber Attack
School of Medicine Orientation Information Security Training
Presentation transcript:

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: I.HYPOTHETICAL DATA SECURITY INCIDENT II.INVESTIGATION III.NOTICES TO VICTIMS AND GOVERNMENT IV.LAW ENFORCEMENT V.SUMMARY AND RECOMMENDATIONS

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: HYPOTHETICAL INCIDENT

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  On Monday morning you learn of the theft of a laptop from the oncology department at your hospital.  The laptop was stolen on Saturday or Sunday. It was not physically secured, nor was the PHI on the laptop encrypted.  There were two files of unsecured PHI on the laptop: (1) MRI images with the name of the hospital and the patient’s name; (2) patient payment information including SSN and healthcare insurance number

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  Preserve Evidence  Activate Breach Response Plan  Assemble the Team

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  Designating an Incident Response Manager who is responsible for coordinating the response to a Data Breach Incident  Creating an obligation for employees to report Data Breach Incidents to the Incident Response Manager  Outlining Employee responsibilities in the event of a Data Breach Incident  Ensuring prompt notice by employees  Creating a culture of awareness and compliance through training, communication and periodic updates

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  WHAT PHI WAS INVOLVED?  IS THERE A REASONABLE BELIEF THAT THE PHI WAS ACCESSED OR ACQUIRED BY AN UNAUTHORIZED PERSON IN VIOLATION OF HIPAA PRIVACY RULE?  DID THE IMPERMISSIBLE USE OR DISCLOSURE RESULT IN A SIGNIFICANT RISK OF FINANCIAL, REPUTATIONAL OR OTHER HARM TO INDIVIDUALS?  DO ANY EXCEPTIONS APPLY?

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  HOW MANY PATIENTS IMPACTED?  WHAT IS THE STATE OF RESIDENCE OF THE VICTIMS?  NOTIFY LAW ENFORCEMENT?

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: Based on what we know thus far is there acquisition, access, use, or disclosure? Missing laptop =‘s unauthorized access Specific Treatment – oncology leads to a presumption of reputational harm SSN and billing information leads to a presumption of financial harm BASED ON WHAT WE KNOW NOTICE REQUIRED BUT KEEP INVESTIGATING

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  CONTENT -- PLAIN LANGUAGE  CONTENT WHAT MUST BE INCLUDED Brief description of what happened Description of the type of information involved Steps the victim should take to protect themselves Description of investigation, efforts to mitigate harm and protect against further breaches Contact procedure

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  Breach affects 500 or more individuals –notice to HHS at same time as victims  Breach affects less than 500 people –submit to HHS within 60 days of end of calendar year  Breach affects 500 or more residents of a single state media notice is required

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  Federal Secret Service, FBI, DOJ, local  Establish working relationship  Be responsive to requests for information  Make employees available  Possible Safe Harbor in the even notice would compromise investigation

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: You learn that a billing clerk inadvertently took the Laptop home thinking it was his. When he got home to begin work looked at MRIs and billing information and realized he had the wrong computer. IS NOTICE REQUIRED?

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: On the way to the hospital the billing clerk stops at his local coffee shop and decides to log on to the laptop to check the weather and the stock market. After he logs on he goes to the counter to get his coffee. When he returns he sees that a friend of his is on the computer and has switched the screen from the Internet to the MRI screens IS NOTICE REQUIRED?

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: The employee finally brings the laptop to the hospital. The IT team conducts a forensic examination of the computer and determines that on Friday someone made a copy of the social security numbers of the patients in the billing file? IS NOTICE REQUIRED?

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: Summary and Recommendations

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. ::  A methodic and thorough initial investigation is critical  Implement a comprehensive written information security policy approved by senior management or the board  Conduct periodic assessments of known and foreseeable risks to sensitive data held by the company  Outline and implement security breach response plan and the forensic capability of determining which information assets have been compromised in a breach

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: Have tools and processes designed to detect, prevent and respond to attacks and intrusions on company systems Inventory, encrypt and password protect remote and off- network devices used in the conduct of company business Designate employees who have overall responsibility for information security compliance Periodically train and refresh employees in the company’s information security policies and their role in prevention Develop an organizational culture of awareness and a respect for information security safeguards

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: Matthew H. Meade Stephanie Winer-Schreiber

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.