The Future of Connected Healthcare System Summed Up in 5 HIMSS Banners
Healthcare forum yelorda megan himss presentation
-
Upload
issa-la -
Category
Technology
-
view
46 -
download
0
Transcript of Healthcare forum yelorda megan himss presentation
Office of the SecretaryOffice for Civil Rights (OCR)
Guidance on OCR’s Process for
Breach Investigations
Presented by
Megan Yelorda, JD, MPH
Equal Opportunity Specialist
OCR
Definition of a Breach
• Breach means the acquisition, access,
use, or disclosure of protected health
information (PHI) in a manner not
permitted under HIPAA which
compromises the security or privacy of the
PHI. See 45 C.F.R. § 164.402
3
OCR
Definition of a Breach
• Covered entities (CE) and business associates (BA)
must only provide the required notifications if the breach
involved unsecured PHI.
• Unsecured PHI is PHI that has not been rendered
unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology
specified by the Secretary in the guidance issued under
section 13402(h)(2) of Public Law 111-5. See 45 C.F.R.
§ 164.402
4
OCR
Breach Safe Harbors
PHI is rendered unusable, unreadable, or indecipherable to unauthorized
individuals if one or more of the following applies:
• Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the
use of an algorithmic process to transform data into a form in which there is a low
probability of assigning meaning without use of a confidential process or key”
• The media on which the PHI is stored or recorded has been destroyed in one of the
following ways:
– (i) Paper, film, or other hard copy media have been shredded or destroyed such
that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is
specifically excluded as a means of data destruction.
– (ii) Electronic media have been cleared, purged, or destroyed such that the PHI
cannot be retrieved.
5
OCR
When is Notification Required?
A breach of unsecured PHI is presumed to require
notification, unless CEs or BAs can demonstrate low
probability that the PHI has been compromised based on a
risk assessment of at least the following:
– Nature & extent of PHI involved
– Who received/accessed the information
– Potential that PHI was actually acquired or viewed
– Extent to which risk to the data has been mitigated
See 45 C.F.R. § 164.402(2)(i)-(iv)
6
OCR
Breach Reporting Requirements
Once a breach of unsecured PHI is discovered, the CE/BA
must:
• Notify each individual affected:
– Without unreasonable delay and no later than 60
calendar days after discovery
• Notify the media:
– Breaches involving more than 500 residents of a
State or jurisdiction
– Without unreasonable delay and no later than 60
calendar days after discovery
7
OCR
Breach Reporting Requirements
Once a breach of unsecured PHI is discovered, the CE/BA
must notify the Secretary:
• More than 500 affected individuals:
– Without unreasonable delay and no later than 60
calendar days after discovery
– In the manner specified on the HHS website
• https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-
redirect=true
• Less than 500 affected individuals:
– Within 60 days of the end of the calendar year in
which the breaches were discovered
8
OCR
Breaches that OCR Investigates
• OCR reviews all breaches that are
reported.
• Breaches involving 500 or more affected
individuals automatically start an
investigation.
• Breaches involving fewer than 500
individuals are reviewed to determine
whether to start an investigation, based on
the facts and circumstances of the breach.10
OCR
Breaches that OCR Investigates
• OCR can also open a breach investigation
based on a complaint received from an
individual.
– Example:
• An anonymous Complainant stated that she
discovered 100 patients charts in a trash dumpster
in the back of the CE’s office.
• OCR could open an investigation based on the
information the Complainant provided.
11
OCR
Verification of Breach Reports
• Once OCR opens an investigation of a
breach, the information in the breach
report is verified with the reporting CE
• Once verified, the information is posted on
our public website
12
OCR
Investigative Process
• If the breach report contains facts that suggest
criminal activity, OCR may refer the case to DOJ
for investigation.
• DOJ accepts cases from OCR based on its own
discretion.
– Example: A CE submitted a breach report that
stated one of its employee’s impermissibly
obtained PHI of several hundred patients and
sold the PHI for personal gain.
13
OCR
Informal Case Resolution
After reviewing the data response from the CE, OCR may take some of
the following actions to resolve the case informally:
• Close after providing technical assistance to the CE
– CE already took action to mitigate the harm caused from the
breach and/or corrective action. CE provided OCR sufficient
documentation of actions taken.
• Close after corrective action is taken
– CE needs to take corrective action (i.e. train employees,
update/implement policies and procedures, implement
appropriate safeguards, etc.)
• Other resolution
– Resolution agreement (RA)
14
OCR
Informal Case Resolution
Resolution Agreement
– When the completed investigation indicates noncompliance
– Considerations include:
• Depth and nature of the noncompliance within the CE
• CE failed to comply with multiple requirements of the PR or SR
• The noncompliance affected a very large number of people/extended over a
very long period of time.
– All RAs are made public and published on OCR’s website
– The principal component of a Resolution Agreement is a written corrective action
plan and on-going monitoring of compliance by a third-party monitor retained by
the CE that makes independent compliance reports to OCR and the CE.
– A Resolution Agreement may include a payment from the CE to OCR
– The calculation of the amount of a payment is based on the potential civil
monetary penalty (CMP) that could be imposed in a Notice of Proposed
Determination
15
OCR
Informal Case Resolution
Resolution Agreement Examples:• Anchorage Community Mental Health Services, Inc.
– Malware compromising the security of its information technology resources
– Failed to conduct a risk analysis from 2005-2012
– Failed to implement appropriate security policies and procedures from 2005-2012
– Pay HHS $150,000
• Idaho State University
– Firewall protecting the server was taken down maintenance, wasn’t reactivated, and server’s files hacked
– Failed to conduct a risk analysis from 2007-2012
– Failed to implement a risk management plan from 2007-2012
– Pay HHS $400,000
• Alaska Dept. of Health and Social Services
– Electronic portable storage device stolen from vehicle
– Failed to complete risk analysis
– Failed to implement risk management plan
– Failed to address device and media encryption
– Pay HHS $1.7 million
16
OCR
Formal Case Resolution
• Where noncompliance with the Privacy Rule is indicated
and the matter is not resolved by informal means
• 45 C.F.R. § 160.312(a)(3)(i) requires that OCR so inform
the CE and provide the CE with an opportunity to submit,
within 30 days of receipt of such notification, written
evidence of any mitigating factors and/or affirmative
defenses, also know as a Letter of Opportunity (LOO)
17
OCR
Formal Case Resolution
• The LOO does not contain a formal finding of noncompliance. Rather, it is
the immediate predecessor to a Notice of Proposed Determination (NPD) in
which the formal findings of fact and findings of noncompliance are made.
• The LOO gives enough information about the indicated noncompliance to
put the CE on notice about the imminent potential for the issuance of a
proposed Civil Money Penalty (CMP) in a NPD.
18
OCR
Formal Case Resolution
• The NPD is issued when the covered entity is found to have failed to comply
with the Privacy Rule and OCR’s attempts to resolve the matter by informal
means that are satisfactory to OCR have not been agreed to by the covered
entity.
• The NPD will contain:
– Reference to the statutory basis for the penalty;
– A description of the findings of fact regarding the violations with respect to which the penalty
is proposed;
– The reason(s) why the violation(s) subject(s) the respondent to a penalty;
– The amount of the proposed penalty;
– Any circumstances described in §160.408 that were considered in determining the amount of
the proposed penalty; and
– Instructions for responding to the NPD, including a statement of the respondent's right to a
hearing, a statement that failure to request a hearing within 90 days permits the imposition of
the proposed penalty without the right to a hearing under §160.504, or a right of appeal
under §160.548 of this part, and the address to which the hearing request must be sent.
19
OCR
Formal Case Resolution
• When OCR issues a NPD, the NPD will instruct the covered entity
(respondent) that it may request a hearing before an administrative law
judge (ALJ) of the HHS Departmental Appeals Board (DAB) by filing a
written request within 90 days of the respondent’s receipt of the NPD. See
45 C.F.R. §§ 160.420 and 160.504.
• The parties to the hearing will be the respondent and OCR on behalf of the
Secretary.
20
OCR
Example
A CE/BA reported that an employee left a
laptop in his car. The car was broken into
and the laptop was stolen. The CE/BA
reported that the laptop was not encrypted,
but it was password protected. The CE
reported that the laptop contained PHI for
1500 patients. The PHI included,
demographic information, SSN, clinical
diagnosis, and other.
21
OCR
Example
• Report reviewed by OCR management
• Assigned to an Investigator
• Verified with the CE
• Information posted on our website
• Investigation
22
OCR
Example
Potential violations may include:– Privacy Rule
• §164.502(a) – Impermissible Use and Disclosure
• §164.530(c) – Safeguards
• §164.530(f) – Mitigation
• §164.530(i) – Policies and Procedures
– Security Rule
• §164.308(a)(1)(ii)(A) – Risk Analysis (Required)
• §164.308(a)(1)(ii)(B) – Risk Management (Required)
• §164.308(a)(1)(ii)(C)-Sanction Policy (Required)
• §164.308(a)(5)(i)- Security Awareness and Training
• §164.308(a)(6)(i) – Security Incident Procedures
• §164.308(a)(6)(ii) – Response and Reporting (Required)
• §164.310(c) – Workstation Security
• §164.310(d)(1)-Device and Media Controls
• §164.312(a)(2)(iv) – Encryption and Decryption (Addressable)
– Breach notification rule
• §164.404(a) – Breach notification to individuals
• §164.406(a) – Breach notification to the media
23
OCR
Example
Potential data request items may include:
Privacy Rule:
– A copy of HIPAA policies and procedures regarding:
• Use and disclosure of protected health information
• Safeguards
24
OCR
Example Potential data request items may include:
Security Rule:
– A copy of the risk analysis performed prior to the incident and any conducted after the
incident.
– Evidence of the security measures implemented to reduce risks and vulnerabilities identified
in the risk analysis (risk management plan).
– A copy of sanctions policy and documentation of sanctions, if appropriate.
– Evidence of the procedures implemented to review activity related to incident reports.
– Evidence of security training program. Copies of most recent training materials.
– A copy of the incident report created in response to the exposure incident including any
corrective actions taken.
– Policies for the receipt and removal of hardware and electronic media.
• Are all mobile devices and media that store or could store e-PHI identified?
• Are the receipt and removal of e-PHI storage devices logged and tracked?
– Copies of mechanisms in place for encryption/decryption.
– Evidence of the auditing mechanisms implemented by CE for its server.
– A copy of the procedures implemented by CE to verify access to the server.
25
OCR
Example Potential data request items may include:
Breach Notification Rule:
– Documentation that the affected individuals were notified of the breach.
– A sample copy of the notification to individuals.
– Documentation that the media was notified of the breach.
– A copy of the notification to the media.
26