HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule

Published on January 2017 | Categories: Documents | Downloads: 27 | Comments: 0 | Views: 137
of 18
Download PDF   Embed   Report

Comments

Content

HIPAA Data Breach Reporting Requirements Under the Omnibus Rule
Gerry Hinkley [email protected] Allen Briskin [email protected]
Pillsbury Winthrop Shaw Pittman LLP

The purpose of this presentation is to inform and comment upon legal and regulatory developments in the health care industry. It is not intended, nor should it be used, as a substitute for specific legal advice inasmuch as legal counsel may only be given in response to inquiries regarding particular situations.

1 | HIPAA Data Breach Reporting

Breach Notification
 HITECH established right of individual to be notified of breaches of PHI  Breach = the “unauthorized acquisition, access, use or disclosure of [PHI] which compromises the security or privacy of such information…”  Exceptions include inadvertent, good faith access or disclosures within a CE/BA if the data is not further subject to unauthorized use

2 | HIPAA Data Breach Reporting

IFR Breach Notification Standard
 Interim Final Rule (IFR) – CEs/BAs must notify of breaches of unsecured PHI that cause a significant risk of harm to the data subjects

 


Harm includes financial & “other” harm; standard was controversial Data correctly encrypted per NIST standards is not “unsecured PHI”

Exceptions included limited data set with “extra” deletions

3 | HIPAA Data Breach Reporting

Omnibus Rule Breach Notification Standard
  Definition of “breach” is changed from IFR definition An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised” Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data Limited data set exception deleted





4 | HIPAA Data Breach Reporting

Breach Notification – Risk Assessment
 CE/BA should perform risk assessment post-breach discovery and must consider at least the following:

   

Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification Who was the recipient of the PHI Was the PHI actually acquired or viewed The extent to which the risk to misuse of the PHI has been mitigated

5 | HIPAA Data Breach Reporting

Breach Notification – Examples of Risk Analysis Criteria
 Likelihood of identification or re-identification:

 


a list of patient names – not low probability patient discharge data, patient not specified – can patients be reidentified? – could be low probability (depends on the circumstances)

Who is the unauthorized recipient:

 

a HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated an employer – may be able to use personnel records to re-identify – not low probability

6 | HIPAA Data Breach Reporting

Breach Notification – Examples of Risk Analysis Criteria (2)
 PHI actually acquired or viewed:

 


untampered with laptop – low probability information mailed to wrong person – not low probability

Has improper use been mitigated:



satisfactory assurances of destruction from a known person – low probability

7 | HIPAA Data Breach Reporting

Breach Notification – Burden of Proof
   If no risk assessment performed, the default is notification Burden of demonstrating low probability that PHI is compromised is on the CE/BA Decision not to notify must be documented in case of review

8 | HIPAA Data Breach Reporting

Breach Notification – Obligations to Notify
   CEs must notify individuals (although can delegate this to BAs) BAs must notify CEs (including subcontractors of BAs that qualify as BAs under the expanded definition of “business associate”) Subcontractors should also be obligated to notify their contracting partner so the information can go back up the chain

9 | HIPAA Data Breach Reporting

Breach Notification – What Did Not Change
          Definition of “Unsecured Protected Health Information” When a breach is treated as “discovered” Timeline for notifications Content of notification Methods of notification Notification to the media and the Secretary (minor modification – counting from year of discovery) Notification by Business Associate Delay requested by law enforcement Documentation and burden of proof Pre-emption standard regarding state laws

10 | HIPAA Data Breach Reporting

HIPAA Breach Notification Requirements
         “Without unreasonable delay”: typically within 60 days of breach discovery Record keeping of notifications If imminent danger exists, notification by telephone or other means First class mail or email if requested Substitute notification if contact information is unavailable If more than 500 residents of a state or region are affected – disclose to prominent media outlets Immediate notice to Secretary of HHS if more than 500 individuals are impacted and information is acquired or disclosed (not accessed) Annual notice to Secretary if fewer than 500 individuals impacted Notice may be delayed at the request of law enforcement

11 | HIPAA Data Breach Reporting

HITECH Notification Requirements
 Two key questions to determine whether notification is required:

 
 

Did the event qualify as a defined “breach”? Was the information protected by an encryption‐like technology?

Covered Entities (CE) or Business Associates (BA) must notify individuals if unsecured personal health information has been breached. Following a breach of protected health information, CEs must:

 
 

Perform and document “probability of compromise” assessment Notify affected individuals, govt agencies and sometimes the media

BAs must notify a CE promptly of a breach of unsecured PHI Some variation in notification laws across states, national standard proposed

12 | HIPAA Data Breach Reporting

State Laws
   There are currently 46 state data breach laws, including D.C. and Puerto Rico Generally, the duty to notify arises when unencrypted “personal information” was acquired or accessed by an unauthorized person Definition of “Personal Information”  Many states use the standard definition, but other states add data elements such as health data, DOB, mother’s maiden name, employee ID number, passport number or user name A number of states require direct notification to state agencies Most states require notification to credit reporting agencies Some states’ breach notification laws contain harm thresholds  Notification is not required if there is no reasonable likelihood of harm to affected individuals

  

13 | HIPAA Data Breach Reporting

Importance of Planning – Policies & Procedures
        Technology: measures to ensure all PII/PHI is secure Leadership and individual responsibility Limit employee/contractor access to minimums Develop breach response plan and incident response team Reconciliation with legal requirements Tracking of all data received and created including location Education of workforce (before and after incidents) Business Associate compliance

 

Amending BA agreements Aligning processes and procedures

14 | HIPAA Data Breach Reporting

Policy Development
   Processes for discovering breaches Procedures and forms for reporting Mechanisms for determining  if unsecured PHI/PII is involved  affected individuals  applicable notification requirements Processes for  determining appropriate mitigation  developing advice to affected individuals  creating and distributing notices  determining and creating other forms of communication  accounting for notification  reporting to Secretary of HHS



15 | HIPAA Data Breach Reporting

How do you Respond to a Data Breach?
 Collaborative effort often requiring:

        

Appropriate role for Legal Counsel Investigative Services Industry and Data Knowledge Computer Forensics Database Forensics Data Mining and Analytics Notification of Impacted Individuals, regulators, etc. Call Center Crisis Management

16 | HIPAA Data Breach Reporting

Thank you

17 | HIPAA Data Breach Reporting

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close