Presentation is loading. Please wait.

Presentation is loading. Please wait.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Similar presentations


Presentation on theme: "LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s."— Presentation transcript:

1 LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s Data Breach Requirements December 13, 2010 Renee H. Martin, JD, RN, MSN Tsoules, Sweeney, Martin & Orr, LLC 29 Dowlin Forge Road Exton, PA 19341 Tel.: (610) 423-4200 Fax: (610) 423-4201 E-mail: rmartin@tshealthlaw.comrmartin@tshealthlaw.com

2 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC22 HIPAA Basics Who is covered? n Health Plans Health care clearinghouses Health care providers who transmit any IIHI/PHI in electronic form in connection with transaction codes.

3 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC33 What is covered?

4 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC44 Individually Identifiable Health Information (IIHI) Health information including demographics that:  Is created or received by a health care provider, health plan, or health care clearing house and  Relates to the past, present or future physical or mental health or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that  Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

5 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC55 Protected Health Information (PHI) Individually identifiable health information that is:  Transmitted by electronic media  Maintained in any electronic media  Transmitted or maintained in any other form (including oral or written PHI)

6 BREACH NOTIFICATION Prior to HITECH Act  No HIPAA Data breach notification requirement, but may have been part of mitigation  Most states have notification requirements HITECH: First federal law mandating breach notification  Affects covered entities, business associates, vendors of personal health records, and PHR service providers HHS interim Final Regulations – 9/23/09 Breach Notification Enforcement – 2/23/10 Copyright © 2010 Tousles, Sweeney, Martin & Orr, LLC6

7 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC7 Key Definitions HITECH Act Breach The term “breach” means the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) which compromises the security or privacy of the PHI such that it poses a significant risk of financial, reputational, or other harm to the individual Unsecured PHI PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS; PHI must be rendered unusable, unreadable, or indecipherable to unauthorized individuals

8 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC8 Privacy & Security Breaches HITECH Act Requirements Covered entities must notify individuals whose unsecured PHI has been or is reasonably believed to have been accessed, acquired or disclosed as a result of a privacy or security breach If the breach is discovered by a business associate then the business associate is required to notify the covered entity of the breach  Including providing information about the identification of each individual who has been or is reasonably believed to have been affected by the breach Breach notices must be sent without unreasonable delay and in no case later than 60 calendar days after discovery A breach is “discovered” on the first day on which such breach is known to the covered entity or the business associate If breach involves more than 500 residents of a state, then prominent media & Secretary of HHS must be sent notice

9 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC9 Business Associates New Mandates Business associates: Are now subject to the administrative, physical and technical safeguard security requirements of the HIPAA Security Rule Must develop policies, procedures and documentation of security activities Are prohibited from making any use or disclosure of PHI that is not in compliance with each of the required terms of a HIPAA BAA That violate the HIPAA Security Rule or the terms of the BAA are now subject to the same civil and criminal penalties as covered entities Health Information Exchanges (HIE): Are business associates and must enter into a BAA with the covered entity

10 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC10 Methods for Securing PHI HHS has identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals 1.Encryption 2.Destruction The successful use of encryption depends upon two main features: 1.The strength of the encryption algorithm 2.Security of the decryption key or process Destruction of PHI –Paper – Shredded or destroyed such that PHI cannot be read or reconstructed –Electronic – Cleared, purged, or destroyed such that PHI cannot be retrieved

11 Copyright © 2010 Tousles, Sweeney, Martin & Orr, LLC11 ACTIONS TO TAKE Review Notice of Privacy Practices and update accordingly to reflect changes in privacy and security policies Review and modify HIPAA privacy and security policies and procedures to include new requirements and to comply with timeframes Compile list of business associates and expand it to include vendors Identify other entities with which you share PHI that may now qualify as BAs and require BA agreement (Continued)

12 Copyright © 2010 Tousles, Sweeney, Martin & Orr, LLC12 ACTIONS TO TAKE Draft new BA agreement and update existing agreements to comply with HITECH Act’s expanded new requirements Develop or modify existing Breach Notification Policies that comply with HITECH Act’s federal breach notification provisions and any state law counterparts Notify BAs of the security rule, notification, and enforcement penalty changes of HITECH Act Review and update employee manuals and training programs Reevaluate how patient complaints are handled Document each step taken to become compliant

13 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC13 How will your organization respond to a Breach?

14 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC14 Investigating and Responding to Suspected Breaches Before a breach occurs, have a plan Goal is to avoid a breach, if that fails, follow your plan Respond immediately and appropriately Prepare to spend money and time to address properly The investigation and response will take longer than you think Even small breaches need thorough investigation and response

15 Copyright © 2010 Tousles, Sweeney, Martin & Orr, LLC15 WHETHER TO NOTIFY INDIVIDUALS OF BREACH 1. Determine whether there has been an impermissible acquisition, access, use or disclosure of PHI in violation of the Privacy Rule. 2. Conduct through internal investigation, forensic assessment 3. Did the use, access, acquisition actually constitute a breach? Determine risk of harm. If it is a breach then…. 4. Who impermissibly used/disclosed PHI and who were the recipients? 5. Can the impact of the harm be mitigated? For example, was the impermissibly disclosed PHI returned before an improper use? 6. What was the type and amount of PHI involved in the impermissible use or disclosure? 7. Document results of risk of harm assessment

16 Copyright © 2010 Tousles, Sweeney, Martin & Orr, LLC16 Notice to individuals must contain at minimum 1.Circumstances of breach, plus dates of breach and discovery 2.Types of PHI involved (e.g., name, social security number, etc.) 3.Steps for individual to take to protect against potential harm 4.Steps CE is taking to investigate, mitigate losses and protect against further breaches 5.Contact procedures (toll free phone number, e-mail address, website or postal address)

17 Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC17 Responding to Breaches Step-by-Step 1. Assemble an in-house multidisciplinary response team (management, board, IT, compliance, legal, communications, privacy officer, security officer, others). 2. Identify potential stakeholders. 3. Implement response plan-should have draft patient notification letters ready to go. Contract with credit monitoring agency (in advance). 4. Develop and implement internal and external communications strategy (including notice to patients, stakeholders, regulatory agencies). 5. Prepare customer service representatives (hire if needed to handle influx of calls). 6. Conduct final assessment and lessons learned. 7. Employee discipline-HR follow-up.


Download ppt "LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s."

Similar presentations


Ads by Google