You Might Have a HIPAA Breach. Now What?

Transcription

1 You Might Have a HIPAA Breach. Now What? Ann M. Curran O Connor & Thomas, PC Phuong D. Nguyen Compliance Manager HealthTexas Provider Network Introductions Phuong D. Nguyen Compliance Manager, HealthTexas Provider Network Dallas, Texas Ann M. Curran Attorney, O Connor & Thomas, P.C. Dubuque, Iowa 1

2 Goals for today s session Recap the Breach Notification provisions, as modified by the HIPAA Omnibus legislation Understand the new culture of Breach Notification Addressing breach risks proactively Practical tools for creating/optimizing your breach response playbook Scenario Part 1 You are the Privacy Officer for ABC Cardiology, a busy practice with ten physicians. At 9:00 Monday morning you receive a call from Dr. B, one of your physicians. He was at the hospital the previous night and dictated reports for 15 patients on his handheld device. This morning he noticed that his dictaphone was missing from his briefcase. 2

3 HITECH Breach Notification Health Information Technology for Economic and Clinical Health law of 2009 (HITECH) Dramatically increased monetary penalties for privacy violations 4 tiers of penalties, culminating in $50,000 per record/cap of $1.5 M per year for willful neglect, uncorrected Engaged State Attorneys General in HIPAA enforcement Modified HIPAA Privacy Regulations, 45 CFR to create Breach Notification obligations Breach Notification If you have a (1) breach of (2) unsecured protected health information, and you cannot demonstrate there is a (3) low probability the PHI has been compromised, you must (4) notify the affected patients and HHS 3

4 (1) Breach definition Breach = Acquisition, access, use or disclosure of PHI not permitted by HIPAA that compromises the security or privacy of the PHI 45 CFR Breach excludes: Unintentional access by member of same workforce or BA Co-workers in integrated delivery system who are both authorized to view PHI Person cannot reasonably retain the information Definition of Unsecured Not rendered unusable, unreadable or indecipherable to unauthorized individuals HHS standard on what renders PHI secure: Destruction or encryption National Institute of Standards (NIST) Special Publications ,

5 Breach risk assessment Rebuttable presumption/ Low probability A Breach is presumed, unless the Covered Entity can demonstrate there is a low probability the PHI has been compromised. Note re: old standard, pre-9/23/13 The new risk analysis MUST include at least these factors: Nature and extent of PHI involved The unauthorized person who used/viewed PHI Whether the PHI was actually acquired/viewed The extent to which the risk to the PHI has been mitigated Notice Notice must be in writing to all individuals affected Notice must be sent as soon as possible, but no later than 60 days after the breach is discovered, or should have been discovered in the exercise of due diligence 5

6 Notice A brief description of what happened, with applicable dates A description of the PHI involved Any steps the individual should take to protect themselves from harm Description of what the Covered Entity is doing to investigate or fix processes Contact information Notice Methods Written form by first class mail ok if patient previously agreed Substitute notice if 10 or fewer patients cannot be identified Phone, Relatives 6

7 Notice Substitute notice for more than 10 patients: Conspicuous posting on web site with link to the notice for 90 days, or Notice posted with broadcast media in the area Notice Where PHI of >500 patients is leaked, Covered Entity must also notify local media And the Department of Health and Human Services immediately Leaks of <500 patients require annual reports to HHS Online reporting system Note re: budgeting for large notice situations 7

8 Business Associates Business Associates Required to notify the Covered Entity of PHI leaks BA Agreements must be updated to reflect reporting requirements State privacy laws Don t forget to check state breach notification requirements and integrate those into your processes 8

9 Scenario Part 2 Searches of the physician s house, car, office and the hospital fail to discover the missing dictaphone. One full day has passed since the physician reported the device missing. On Tuesday (Day 2) you identify the 15 patients whose PHI was on the dictaphone and you begin to wonder if you should notify the patients of the breach now, or wait and continue searching. You decide to wait until the following day and discuss the issue further with group leadership. Scenario -- Conclusion On Wednesday morning, Physician B calls you to say that he found the dictaphone in his locker in the physician locker room at the hospital. Physician B believes he must have missed it while searching on Monday. Physician B s locker was not locked. You learn from the hospital that the door to the physician locker room is not kept locked. You examine the device and find that it is cued up at the end of the last report dictated. 9

10 The thought process of a Breach Investigation Do you have a Reportable Breach? What information went missing/was stolen/was inappropriately accessed? Is it PHI? Was it secure? If it was unsecure, does the PHI exposure fit into one of the three exceptions? Co-worker or BA, unintentional access Co-worker in integrated system, both ok to view PHI Person who accessed PHI could not retain information Breach risk analysis You must report a Breach, unless your risk analysis shows a low probability of financial or reputational harm to the individual. The risk analysis MUST include at least these factors: Nature and extent of PHI involved The unauthorized person who used/viewed PHI Whether the PHI was actually acquired/viewed The extent to which the risk to the PHI has been mitigated 10

11 Breach risk analysis tools HIPAA breach decision making tool Don t forget state breach notification laws: Mitigating Breach Risk How can we prevent a breach from occurring? Policies Education & Training Workflow Design Nurturing a Culture of Compliance Great Customer Service 11

12 Basic Policies to Have Do you have written policies and procedures that cover these topics? Incident reporting and investigation Breach Notification Securing PHI HIPAA Safeguards Use & Disclosure of PHI Enforcement Addressing Risk with Policies Do you have written policies and procedures addressing identified risk areas? Risk Assessments Site Visits Workflow Analyses New Initiatives OCR (e.g., press releases) Internal Reporting 12

13 Education & (Re-)Training Education Role-based Is the content appropriate? Clinical vs non-clinical staff Track assignment and completion Policy on training What happens if the employee fails to complete the education or training? Education can occur Upon hire or change in job role Periodically As needed (e.g., special topics, after a breach) Consider training HIPAA Liaisons at each location State requirements Training Topics Policies and Procedures Key policies all employees should understand Policies relevant to the job role Identified Risk Areas Electronic Devices and ephi Computers and mobile devices and text messaging Vendors Basic Concepts in Privacy & Security What is PHI? What is a patient identifier? Appropriate and Inappropriate uses/disclosures Minimum Necessary Implementing safeguards physical and electronic 13

14 Workflow: Do you know where your PHI is? Analyze workflow for privacy and security Map the path that PHI takes in a given workflow Who receives PHI and how much? Where is PHI stored? Example: temporary storage bins What happens to PHI after it is used? Is it sitting in someone s account? Contents of a Breach Response Playbook Outline some key elements or steps Stop the harm Investigation Assessment Corrective action Notification Designate key players and responsibilities Have a copy of relevant policies Breach reporting, investigation and notification policy 14

15 Stop the harm What can be done immediately to stop or reduce any harm? Have a list of contacts for certain types of actions Example: If unauthorized access is reported, who do you call to identify and deactivate the access? Investigation Who will investigate? Investigator needs authority to investigate Team or individual? Escalation process (i.e., overcoming hurdles) Who will participate or be a resource? 15

16 Investigation Resources Identify key internal and external resources Include leadership from various departments, such as Operations, IT, Legal, Marketing Include leadership from key business associates and other vendors Do you have boots on the ground? Consider identifying liaisons for each location Investigation Toolkit Written procedure for reporting and investigating incidents Incident reporting form Collect basic information about the incident up front (The who, what, when, where and how questions) from the reporter Investigation tool or checklist Create a tool or checklist that helps you gather all the information that you need to collect from the investigation Investigation log Document steps taken in the investigation Helps create a timeline of the events and investigation 16

17 Sample Questions for an Intake Form Detailed scenario of what happened Identify the following: Date reported to Compliance Department Clinic Location Name and Address Name/Title/phone number of the person reporting the incident to the Compliance Department Date of the disclosure Date that the incident was identified and reported to supervisor How the incident was identified Number of patients affected Patient name, correct address and MRN# (whose information was disclosed) Who received the information in error Identify what PHI was disclosed If lab tests were involved, identify the name of each test and if it was normal or abnormal ( or fax copies of the labs) If PHI was sent to the wrong person, was it sent back to the practice? If not, what happened to it? Name and title of the employee who disclosed the information Building an Investigation Tool The investigation should gather the information you need to assess the incident, determine whether a breach has occurred, and determine the appropriate corrective action The investigation should uncover the facts of the incident 17

18 Building an Investigation Tool Identify root causes Technical? Was the issue identified in a risk assessment or is a risk assessment needed? Is there a technical solution? Internal or third-party? Process or Workflow? Identify relevant policies and procedures Was the policy or procedure followed? Does the policy or procedure need to be revised? Lack of knowledge? Was education previously provided? What (re-) education is needed? Is the need isolated or widespread? Building an Investigation Tool What information do you need to perform the breach analysis? whether the incident involves unsecured PHI? whether the incident violates HIPAA? whether the incident fits a breach exception? whether the incident has a low probability that the PHI was compromised? 18

19 Special Topic: Incidents involving ephi Identify key computer systems and a contact person for each system Example: Who is the EHR expert (back-end and front-end experts)? Learn the basic security features key systems What audit reports are available? Develop a rapid response process Example: When a laptop is reported as stolen, what steps should IT automatically take to mitigate risk? Enable device locator Remotely disable device Remotely wipe data Verify encryption status Notify the compliance department Special Topic: Major Incidents What is a major incident for your organization? Consider different procedures for major incidents May require more or specialized resources May require active participation by senior leadership May want to engage legal counsel May involve sensitive information (for the patient or organization) 19

20 Managing Investigation Deadlines 60 days Set deadlines for key steps Monitor progress with scheduled meetings and reports Know the timeframe for common tasks Example: How long does it take to setup a call center? Breach Assessment Determine how many patients are affected Greater than 500 patients affected? Perform your breach analysis: Was the acquisition, access, use or disclosure of PHI not permitted under HIPAA? Does the incident meet a breach exception? Is there a low probability that the PHI has been compromised? What about state law? Use a breach assessment tool to document the assessment 20

21 Take Corrective Action Take corrective action to address the root cause of the incident If the cause is technical, apply a technical solution or a workaround to the technical issue If the cause is process related, implement a change to the process (Re-)Educate and (Re-) Train as needed Enforce accountability Guidelines for employee discipline? Notification Written procedure for OCR notification Written procedure for patient notification What information do you need to conduct a mail-out? How long does your process take? Different process when a significant number of patients affected? How many is a significant number? If you use a vendor, what information does the vendor need? In what format? Website notice? Media notice? 21

22 Post Notice Patient Calls Are you ready to receive calls from patients? Toll free number Internal call center or vendor Operator training, call scripts and call logging Frequent Questions from Patients: What happened? What corrective action was taken? What information of mine was involved? What happened to the employees involved? Escalation procedures What if OCR calls? Be ready to discuss Your risk assessment Policies and procedures The investigation What happened? What went wrong? Actions taken to mitigate risk of harm How did you stop the harm? Corrective actions taken Education and training Be ready to provide documentation 22