HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
-
Upload
gerryhinkley -
Category
Documents
-
view
222 -
download
0
Transcript of HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
1/18
Pillsbury Winthrop Shaw Pittman LLP
HIPAA Data Breach Reporting
Requirements Under the Omnibus Rule
Gerry Hinkley
Allen Briskin
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
2/18
1 | HIPAA Data Breach Reporting
The purpose of this presentation is to
inform and comment upon legal and
regulatory developments in the health care
industry. It is not intended, nor should it beused, as a substitute for specific legal
advice inasmuch as legal counsel may only
be given in response to inquiries regarding
particular situations.
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
3/18
Breach Notification
HITECH established right of individual to be notified of breaches of PHI
Breach = the unauthorized acquisition, access, use or disclosure of [PHI]
which compromises the security or privacy of such information
Exceptions include inadvertent, good faith access or disclosures within aCE/BA if the data is not further subject to unauthorized use
2 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
4/18
IFR Breach Notification Standard
Interim Final Rule (IFR) CEs/BAs must notify of breaches of unsecured PHI
that cause a significant risk of harm to the data subjects
Harm includes financial & other harm; standard was controversial
Data correctly encrypted per NIST standards is not unsecured PHI Exceptions included limited data set with extra deletions
3 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
5/18
Omnibus Rule Breach NotificationStandard
Definition of breach is changed from IFR definition
An impermissible use or disclosure of PHI is presumed to be a breach unless
the covered entity or business associate demonstrates there is low probability
that the PHI has been compromised
Determining whether or not there is a low probability data has been
compromised requires analysis of what happened (or may have happened)
to the data
Limited data set exception deleted
4 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
6/18
Breach Notification Risk Assessment
CE/BA should perform risk assessment post-breach discovery and must
consider at least the following:
Nature and extent of PHI involved, including types of identifiers and
likelihood of re-identification
Who was the recipient of the PHI
Was the PHI actually acquired or viewed
The extent to which the risk to misuse of the PHI has been mitigated
5 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
7/18
Breach Notification Examples of RiskAnalysis Criteria
Likelihood of identification or re-identification:
a list of patient names not low probability
patient discharge data, patient not specified can patients be re-
identified? could be low probability (depends on the circumstances)
Who is the unauthorized recipient:
a HIPAA covered entity low probability, as long as you have evidence
the risk has been mitigated
an employer may be able to use personnel records to re-identify not
low probability
6 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
8/18
Breach Notification Examples of Risk AnalysisCriteria (2)
PHI actually acquired or viewed:
untampered with laptop low probability
information mailed to wrong person not low probability
Has improper use been mitigated:
satisfactory assurances of destruction from a known person low
probability
7 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
9/18
Breach Notification Burden of Proof
If no risk assessment performed, the default is notification
Burden of demonstrating low probability that PHI is compromised is on the
CE/BA
Decision not to notify must be documented in case of review
8 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
10/18
Breach Notification Obligations toNotify
CEs must notify individuals (although can delegate this to BAs)
BAs must notify CEs (including subcontractors of BAs that qualify as BAs
under the expanded definition of business associate)
Subcontractors should also be obligated to notify their contracting partner so
the information can go back up the chain
9 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
11/18
Breach Notification What Did NotChange
Definition of Unsecured Protected Health Information
When a breach is treated as discovered
Timeline for notifications
Content of notification
Methods of notification
Notification to the media and the Secretary (minor modification counting
from year of discovery)
Notification by Business Associate
Delay requested by law enforcement
Documentation and burden of proof
Pre-emption standard regarding state laws
10 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
12/18
HIPAA Breach NotificationRequirements
Without unreasonable delay: typically within 60 days of breach discovery
Record keeping of notifications
If imminent danger exists, notification by telephone or other means
First class mail or email if requested
Substitute notification if contact information is unavailable
If more than 500 residents of a state or region are affected disclose to
prominent media outlets
Immediate notice to Secretary of HHS if more than 500 individuals are
impacted and information is acquired or disclosed (not accessed)
Annual notice to Secretary if fewer than 500 individuals impacted
Notice may be delayed at the request of law enforcement
11 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
13/18
HITECH Notification Requirements
Two key questions to determine whether notification is required:
Did the event qualify as a defined breach?
Was the information protected by an encryptionlike technology?
Covered Entities (CE) or Business Associates (BA) must notify individuals if
unsecured personal health information has been breached.
Following a breach of protected health information, CEs must:
Perform and document probability of compromise assessment
Notify affected individuals, govt agencies and sometimes the media
BAs must notify a CE promptly of a breach of unsecured PHI
Some variation in notification laws across states, national standard proposed
12 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
14/18
State Laws
There are currently 46 state data breach laws, including D.C. and Puerto Rico
Generally, the duty to notify arises when unencrypted personal information
was acquired or accessed by an unauthorized person
Definition of Personal Information
Many states use the standard definition, but other states add dataelements such as health data, DOB, mothers maiden name, employee IDnumber, passport number or user name
A number of states require direct notification to state agencies
Most states require notification to credit reporting agencies
Some states breach notification laws contain harm thresholds
Notification is not required if there is no reasonable likelihood of harm to
affected individuals
13 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
15/18
Importance of Planning Policies &Procedures
Technology: measures to ensure all PII/PHI is secure
Leadership and individual responsibility
Limit employee/contractor access to minimums
Develop breach response plan and incident response team
Reconciliation with legal requirements Tracking of all data received and created including location
Education of workforce (before and after incidents)
Business Associate compliance
Amending BA agreements
Aligning processes and procedures
14 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
16/18
Policy Development
Processes for discovering breaches
Procedures and forms for reporting
Mechanisms for determining
if unsecured PHI/PII is involved
affected individuals
applicable notification requirements Processes for
determining appropriate mitigation
developing advice to affected individuals
creating and distributing notices
determining and creating other forms of communication
accounting for notification
reporting to Secretary of HHS
15 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
17/18
How do you Respond to a Data Breach?
Collaborative effort often requiring:
Appropriate role for Legal Counsel
Investigative Services
Industry and Data Knowledge
Computer Forensics
Database Forensics
Data Mining and Analytics
Notification of Impacted Individuals, regulators, etc.
Call Center
Crisis Management
16 | HIPAA Data Breach Reporting
-
7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule
18/18
17 | HIPAA Data Breach Reporting
Thank you