H
D
HIPAA
How Does a HIPAA
Violation Become a
Privacy Breach?
Karen Voiles, MBA, CHC, CHPC, CHRC Senior Managing Consultant, ComplianceAgenda
Differentiating between HIPAA violation and reportable breach
Best practices for documenting HIPAA violations and reportable breaches
Notification requirements for violations and breaches
Examples of HIPAA violations versus reportable breaches When should legal counsel be involved?
When Does HIPAA Incident Become a Breach?
Under the Omnibus Rule of 2013 (the “Final Rule”), a HIPAA incident must ALWAYS be considered a reportable breach UNLESS a four-factor risk
assessment is completed which determines that the protected health information (“PHI”) involved has been compromised
*See policy and risk assessment templates
3
See policy and risk assessment templates
What Should a Four‐Factor Breach Risk Assessment
Include?
The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification:
Analyze the types of PHI involved
oCredit card numbers, SS#, or other info that might result in identity theft
oNature of services, such as mental health or substance abuse information
othe amount of detailed clinical information exposed oif the PHI involves only limited identifiers, can the PHI
Why Is It Important to Consider
Who the Unauthorized Person Is?
If the recipient is another entity constrained by regulations, the risk is lower (example – fax to wrong physician or other covered entity)
If the PHI is used by, or disclosed to, a known identity thief or ex-husband – risk much higher
5
Why Does It Matter if the PHI Was
Actually Acquired or Viewed?
There is a difference between actually acquiring or viewing PHI and only having an opportunity for the information to be acquired or viewed.
Example - if a laptop is lost or stolen and later recovered, and a forensic analysis
shows that the PHI on it was never accessed – lower probability that PHI was compromised.
How Did You Mitigate the Risk to the PHI?
If you mitigate the risk to PHI improperly used or disclosed, you can lower the risk that the use or disclosure will be determined to be a breach
Requiring the recipient that received the PHI in error to provide assurances, such as in a
confidentiality agreement that the PHI was or E
x a
7
confidentiality agreement, that the PHI was or will be destroyed or will not be further used or disclosed m p l e
What are Some Best Practices for Documentation?
Are You Keeping a Breach Log?
Important elements to include in your breach log: Date of breach
Date of breach Date of discovery
# of Individuals affected by breach Type of breach
Location of breached information
9
Location of breached information Type of protected health
information (e.g., demographic, financial, clinical)
What Else Should Be in Your Breach Log?
Brief description of the breach
include location of breach, a description of how the include location of breach, a description of how the
breach occurred, and any additional information regarding the type of breach, type of media, and type of protected health information involved in the breach
Safeguards in place prior to breach
ti h i l iti l i l
e.g., encryption, physical securities, logical access control, anti-virus software, intrusion detection, biometrics
What About Notification and Other Actions
Taken?
Dates notice provided
If provided substitute or media notice and if so
If provided substitute or media notice, and, if so, who, what, when, where, how
Actions taken in response to the breach
e.g., security and/or privacy safeguards, mitigation, sanctions, policies and procedures
11
A description of any other actions taken
How Do You Notify an Individual of a Breach of His/
Her Protected Health Information (PHI)?
Breach notification requirements:
Individual notice
oWritten form - first-class mail OR e-mail if individual agreed to receive email
If insufficient or out-of-date contact information for 10 or more individuals: Post the notice on the web site home page or provide the notice in major print or broadcast media where the affected individuals likely reside
If fewer than 10 individuals, may provide substitute notice by an alternative form of written, telephone, or other means
Must include a toll-free number for individuals to contact the covered entity to determine if the individual’s PHI was involved in the breach entity to determine if the individual s PHI was involved in the breach oProvide notice no later than 60 days following discovery
oInclude a description of the breach, types of information involved, steps individuals should take, description of the investigation, what is being done to mitigate harm and prevent further breaches, as well as contact information for the covered entity
What if Breach Is Discovered
by a Business Associate?
The business associate must notify the covered entity no later than 60 days from the discovery of the breach and provide the identification of each individual affected as well as any information required to be provided by the covered entity in its notification to affected individuals
NOTE – the time clock for notification by the covered
13
notification by the covered entity starts ticking when the business associate discovers the breach (not reports it)
What if Breach Affects 500+ in a State or Jurisdiction?
Media notice
In addition to notifying the affected individuals you In addition to notifying the affected individuals, you
must provide notice to prominent media outlets serving the state or jurisdiction no later than 60 days following the discovery of a breach and must include the same information required for the individual notice
oThis notice can be in the form of a press release to appropriate media outlets serving the affected area
Do You Know How to Submit
Your Breach Log to the Secretary?
http://www.hhs.gov/ocr/privacy/hipaa/administrative/b reachnotificationrule/brinstruction.html 15When Do You Notify the OCR?
If >500, no less than 60 days followingdiscovery of breach If < 500, notification no later than 60 days after the end of the calendar year in which the
year in which the breach(es) occurred
When Should You Involve Legal Counsel?
Best practice?
If, after an investigation, you are still not sure Prior to notifying the patient
Prior to notifying the media
Prior to reporting a breach to the government
17
Bottom line – it may be expensive, but counsel can best mitigate your risk of audit or lawsuit in such situations!
Who Has the Burden of Proof?
Covered entities and business associates! You must be able to demonstrate that all You must be able to demonstrate that all
required notifications have been provided or that a use or disclosure of unsecured protected health
information did not constitute a breach You must also have in place written policies
and procedures regarding breach notification; p g g ; you must train employees on these policies and procedures; and you must develop and
apply appropriate sanctions against workforce members who do not comply with these policies and procedures
Example #1 of a Non‐Reportable Incident
PHI is faxed to the wrong physician, and the receiving physician immediately contacts the covered entity to inform it of the error and confirms that the information was destroyed. Low probability exists that information was compromised, and disclosure would not be reportable
Check your state laws
19
Check your state laws
Should still be included on an accounting of disclosures
Example #2 of a Non‐Reportable Event
Nurse accidentally accesses the wrong patient’s information. Patient accessed has the same name and gender as the patient the nurse is assigned to and gender as the patient the nurse is assigned to on the floor. When the nurse realizes she has accessed the wrong patient’s information, she immediately exits the information and does not further access or disclose the information
accidentally accessed Action can easily be
confirmed by running an access audit
Examples of Reportable Events
Employee accesses medical and financial information of various patients and sells the information to known identity thieves
Ex-wife accesses former husband’s medical information without permission in order to use information for pending divorce
21
Employee accesses famous individual’s
information in order to provide information to the media
What are Your HIPAA Conundrums and Quandaries?
NANCY, I’M NOT SURE THAT’S WHATHIPAAHAD WHATHIPAA HAD
23
Thanks for Attending!!
Intended for internal guidance only, and not as recommendations for specific situations. Readers should
consult a qualified attorney for specific legal guidance