incident response team establish your team planning ahead ... · resulted in the resolution...

Incident response team

Planning ahead facilitates effective breach response

Paula Moran, MEd, and Jennifer Edlind, JD,

CHC, know what they’re talking about when they say

having an incident response team in place when a data

breach occurs is important. Moran is privacy and secu-

rity manager at Massachusetts General Hospital (MGH)

in Boston Edlind is director of privacy and compliance

operations at University Hospitals Health System (UH) in

Cleveland.

Both organizations have established incident re-

sponse teams—and with the number of privacy viola-

tions on the increase, Moran and Edlind say privacy

and information security programs can benefit by doing

the same.

Establish your team

If a privacy incident is reported or detected, Moran

and Edlind recommend having a team in place to quickly

determine the impact and magnitude of the incident and

decide how to respond to meet data breach requirements.

HHS issued interim final breach notification regula-

tions in August

2009, as required

by the HITECH

Act—rules

expected to be

finalized very

soon. You can

access the regu-

lations at www.hhs.gov/ocr/privacy/hipaa/administrative/

breachnotificationrule/index.html.

When an incident occurs within a covered entity

(CE), it should be viewed as a hospital management

issue, rather than a privacy office problem, Moran says.

After all, the incident could involve many individuals

and affect a number of departments.

Understanding how the incident occurred and why

is critical. An incident response team enables everyone

to quickly gather at the same table to hear the same

information at the same time.

Who should be on your team?

Moran and Edlind recommend a team that includes

representatives from the following departments:

➤ Legal and risk management

➤ PR

➤ Human resources

➤ Information security

➤ Compliance/privacy officers

➤ Police and security

➤ Physicians and/or chiefs

➤ Research and the institutional review board

This month’s tip—

Learn what a compliance

officer needs to know about

responding to noncompliance

complaints on p. 12.

October 2012 Vol. 12, No. 10

IN THIS ISSUE

p. 4 Privacy and security lessons learned Healthcare organizations share their experiences.

p. 5 Campaign creates HIPAA awarenessData breach at Massachusetts General Hospital has silver lining.

p. 6 Sample incident response policyUse this sample policy to guide your organization’s response to a privacy or security incident.

p. 8 Sample sanctions policyUse this sample policy to develop sanctions for privacy and security breaches.

p. 11 HIPAA Q&AYou have questions; we have answers.

p. 12 Compliance building blocks A proactive approach helps ensure an appropriate response to noncompliance complaints.

Inside: Privacy & Security Primer

Briefings on HIPAA October 2012

© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.

Determine who your players are and who has re-

sponsibility for which tasks, says Edlind. These depart-

ments can play different roles. For example, PR can

ensure accurate information is provided to the media,

information security might assist with forensics, and

the security department might oversee an internal

investigation.

At MGH, the privacy office takes the lead to facili-

tate the meeting and assign responsibilities and action

items.

Legal concerns

The legal department is essential with respect to

providing advice and ensuring that you follow federal

breach notification rules and applicable state law.

Deciding whether your investigation of an incident will

be privileged is important.

“It’s really essential that each organization talk

to counsel about what is covered by attorney-client

privilege. That should be decided before you are thrust

into investigating a privacy or security incident,” says

Edlind.

A breach that involves multiple states could require

much expertise and possibly outside counsel. You could

face unique or conflicting notification requirements,

she says.

Communication issues

The incident response team will also face communi-

cation concerns. Who needs to know what and when

do they need to know it? Identify appropriate leaders

beforehand and communicate with them regularly when

an incident occurs.

When planning for various internal communica-

tions, limit the number of content editors, Moran

advises. Designate individuals who best understand the

situation to write, edit, and approve any communica-

tions. Delegate responsibility for managing and review-

ing all external communication to your PR department.

The member of this department who serves on the

incident response team knows firsthand what hap-

pened and can ensure that accurate information is

released, Moran says.

MGH experienced a data breach and subsequent

OCR investigation that resulted in a $1 million

resolution agreement in 2011. The incident that

resulted in the resolution agreement and corrective

action plan involved the loss of PHI of patients from

the hospital’s infectious disease associates outpatient

practice. During March of 2009, an employee who

took work home over the weekend left files on a

subway train, including a patient schedule and some

billing records.

Moran says she is frequently asked what happened

to the employee—whether the individual was disciplined

Briefings on HIPAA (ISSN: 1537-0216 [print]; 1937-7444 [online]) is published monthly by HCPro, Inc., 75 Sylvan St., Suite A-101, Danvers, MA 01923. Subscription rate: $349/year. • Briefings on HIPAA, P.O. Box 3049, Peabody, MA 01961-3049. • Copyright © 2012 HCPro, Inc. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent of HCPro, Inc., or the Copyright Clearance Center at 978-750-8400. Please notify us immediately if you have received an unauthorized copy. • For editorial comments or questions, call 781-639-1872 or fax 781-639-7857. For renewal or subscription information, call customer service at 800-650-6787, fax 800-639-8511, or email [email protected]. • Visit our website at www.hcpro.com. • Occasionally, we make our subscriber list available to selected companies/vendors. If you do not wish to be included on this mailing list, please write to the marketing department at the address above. • Opinions expressed are not necessarily those of BOH. Mention of products and services does not constitute endorsement. Advice given is general, and readers should consult professional counsel for specific legal, ethical, or clinical questions.

Managing Editor: Geri Spanek

Contributing Editors: Chris Apgar, CISSP, President Apgar & Associates, LLC, Portland, Ore.

Mary D. Brandt, MBA, RHIA, CHE, CHPS, Vice President of HIM Scott & White Healthcare, Temple, Texas

Joanne Finnegan

Jana H. Aagaard, Esq.Law Office of Jana H. Aagaard Carmichael, Calif.

Kevin Beaver, CISSPFounderPrinciple Logic, LLC Acworth, Ga.

Kate Borten, CISSP, CISMFounderThe Marblehead Group Marblehead, Mass.

John R. Christiansen, JDManaging DirectorChristiansen IT Law Seattle, Wash.

Ken Cutler, CISSP, CISAVice President MIS Training Institute Framingham, Mass.

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, HITRUSTManagerWipfli, LLP Minneapolis, Minn.

Reece Hirsch, Esq.PartnerMorgan LewisOne Market, Spear Street Tower San Francisco, Calif.

Mac McMillan, CISSMCo-Founder and CEOCynergisTek, Inc. Austin, Texas

William M. Miaoulis, CISA, CISMCISO & HIPAA/HITECH Service Line LeaderPhoenix Health Systems Dallas, Texas

Phyllis A. Patrick, MBA, FACHE, CHCFounderPhyllis A. Patrick & Associates, LLC Purchase, N.Y.

Frank Ruelas, MBAPrincipalHIPAA College Casa Grande, Ariz.

Editorial Advisory Board Briefings on HIPAA

October 2012 Briefings on HIPAA


or terminated. She always declines to answer based on

the principle of also protecting the privacy of employees

involved in the incident.

External experts

One decision the incident response team must make

is whether to involve external experts. These might

include computer forensics specialists, legal counsel,

an insurance carrier, notification vendors, call center

vendors, and law enforcement.

The burden of proof is on the CE to demonstrate

that an incident is not a breach, says Edlind. However,

retaining outside computer forensic experts to determine

whether information was actually breached can be very

expensive.

UH initially relied on external experts to perform

forensic analysis, but ultimately brought the func-

tion in-house after purchasing forensics software

and providing training to its information security staff.

Contracting with vendors that can send notification

letters and staff a call center before a breach occurs is

a good idea, Moran says. Negotiating with a vendor

during a crisis is something you should try to avoid,

she says.

Whether you handle the notification process your-

self, staff a call center to respond to patient inquiries,

or hire a vendor could depend on the size of a breach,

says Moran.

Notification issues

If you determine your organization has experienced

a data breach, you must comply with federal breach

notification requirements. Making telephone calls to

affected patients in addition to sending notification

letters is a good idea whenever possible, says Moran.

A call offers an opportunity to explain what happened

so patients will know beforehand why they are receiving

notification letters.

In the subway case, clinicians involved with the

patients whose PHI was lost were also incredibly helpful,

she says.

In one instance, Moran called a patient who was hos-

pitalized at the time. The patient’s spouse answered and

was about to hand the telephone to the patient. Instead,

Moran went to the hospital room and spoke with the

patient in person.

“We want the patients to know we sincerely regret

what happened but also want to minimize further stress

by being sensitive in how we communicate to them.

Each case should be looked at on an individual basis,”

she says.

You should establish a process to answer patients’

questions once they receive a notification letter. Ensur-

ing that staff answer questions consistently, perhaps with

key talking points, is important.

Prevent future breaches

The work is not finished when the crisis is past,

Moran says.

“Things are never the same. For a time, there is no

returning to ‘normal,’ ” she says. The team should con-

duct a root cause analysis, digging down to determine

what happened and working to prevent any future

breaches. Ensure mitigation steps are followed through

to completion.

Track data to present at incident response team

meetings. UH uses a template to track specific in-

formation that helps the team identify trends, says

Edlind.

For example, the healthcare system found that

workforce members were not protecting the confi-

dentiality of their passwords. As a result, it provided

training that explained how to secure passwords, so

that workforce members wouldn’t write their pass-

words on identification badges visible to others, for

example. n

Contact Contributing Editor Joanne Finnegan

Email [email protected]

Questions? Comments? Ideas?



Data breach experience teaches important lessons

Paula Moran, MEd, andJennifer Edlind, JD, CHC,

saytheylearnedimportantlessonswhileworkingwiththeir

incidentresponseteams.

Considerthefollowingtakeawayswithrespecttodata

breaches.

When, not if

Data breaches are not a matter of if, they

are a matter of when.Despiteprivacyandsecurity

officers’diligenteffortstopreventbreaches,something

inevitablyhappens,saysMoran,privacyandsecurity

manageratMassachusettsGeneralHospital(MGH)in

Boston.

“Everyorganizationisgoingtohaveanincident,”agrees

Edlind,directorofprivacyandcomplianceoperationsatUni-

versityHospitalsHealthSysteminCleveland.Therefore,plan-

ningproactivelytobeabletoreactwhenanincidentoccursis

essential.

Intent

Most individuals do not act with malicious intent.

HackersandindividualswhotrytoprofitfromaccessingPHI

aretheexceptionratherthantherule.

“Mostpeoplearetryingtodotherightthingand

protectconfidentiality,butmistakesaremade,”says

Moran.

Training

Regularly review and refresh your training pro-

gram with current information, both internal and

external.Providetrainingtoyourinternalstaffandbusiness

associatesthathandleyourPHI.

Edlindincorporatesincidentsthatoccuratherfacilityor

thatshereadsaboutinthenewstoillustratewhatcango

wrong.Casestudiescansupplementtheoreticalinforma-

tionaboutHIPAArequirementsandhelpstaffmembersun-

derstandhowtoapplytheorganization’spoliciestotheir

dailyactivitiesandhowtheiractionscouldresultinadata

breach.

“Maketrainingrelevantandinterestingtopeople,”she

says.“Dopeoplebringworkhome?Yes.Isthereaprop-

erwaytohandlethat?Yes.Ourgoalistoimpactpeople’s

decision-makingsotheyinstinctivelytaketherightsteps

toprotectpatientinformationorstoptoasksomeonefor

guidance.”

Awareness

Supplement training with other methods.

Alongwithtraditionaltrainingmethods,becreative,

saysMoran.

Aspartofitscorrectiveactionplan(CAP)withOCR

thatstemmedfromadatabreachinvolvingPHIthatwas

lostonasubwaytrain,MGHhad90daystoprovidetrain-

ingonnewpoliciesandprocedurestoallofitsworkforce

memberswhohaveaccesstoandusePHI.Buthospi-

talleadersalsorealized“weneedtokeeplearningalive,”

she says.ThePrivacyOfficecreatedanawarenesscam-

paigntodoso.

(FormoreonMGH’sawarenesscampaign,seetherelated

storyonp.5.)

Cultural change

Significant cultural change is necessary to

break down silos and implement a multidisci-

plinary incident response team.Muchofthework

MGHwasrequiredtodoasaresultoftheCAPwasdone

cross-functionally.

“We gotpeopletoreallythinkoutsideofthebox,”says

Moran.Variousdepartmentshelpedwiththerequirements

oftheCAP.For example,obtaininganidentificationbadge

requirescompletionoftheCAP-requiredtraining.Security

staffensurethataworkforcememberhasaprintedcertifi-

catetodemonstratethattrainingiscompletebeforetheyis-

sueanaccessIDbadge.

Communicate

Communicate key messages and simple action

steps to your employees.“Everyoneisfloodedwithinfor-

mation,”saysMoran.

Makeyourmessagestandoutandemphasizethe

point,shesays.Posters,positiveweeklystories,friendly

competitionbetweendepartments,andacknowledgement

ofstaffwhoaredoingtherightthingscanenergizethe

workforce.



HIPAA awareness POPPs at Boston hospital

HeightenedHIPAAprivacyandsecurityawareness

amongworkforcemembersisthesilverliningresulting

fromMassachusettsGeneralHospital’s(MGH)Corrective

ActionPlanthatstemmedfromadatabreachinvolvingPHI

thatwaslostonasubwaytrain.

“PeoplearepayingattentiontoHIPAAprivacyandsecu-

rity,”saysPaula Moran, MEd, PMP,privacyandsecurity

managerattheBostonhospital.

Moranandothersarecommittedtokeepingthemes-

sagealive,sothehospital’sprivacyofficelaunchedan

awarenesscampaigncalled“MGHersPOPP”—ProtectOur

Patients’Privacy.

ThecampaignaimstoremindtheMGHworkforce

tostopandthinkbeforedoinganythingthatcould

compromisepatientprivacy,saysMoran.Shewants

staffmemberstostopandaskthemselves“doesthis

POPP?”whethertheyaretransportingPHIonalaptop

computer,discussingpatientcare,orsendingafaxthat

containsPHI.

“It’saverycreativeapproachtosupplementtraditional

methodsoftrainingandcommunication,”saysMoran.Pri-

vacyofficestaffmemberswalkthroughthehallwaysinthe

Sample working off-site security agreement

IacknowledgethatIhavereadandwillabidebyABCOrganization’sinformationsecuritypoliciesasapplicabletome,

includingtheoff-siteworksecuritypolicy(acopyofwhichIhavereceived).IagreetoprotectABCOrganization’sconfidential

data,inanyform,whenIamaccessingand/orusingitwhileawayfromthefacility.Further,Iagreetoasecurityauditofmy

off-siteworklocationifandwhenrequestedbyABCOrganization.

Name:

Signature:

Date:

Please return this form to the Information Security Officer, ABC Organization.

hospitalanddistributelolliPOPPstostaffasathankyouto

thestaffmemberswhostrivetoprotectpatientprivacyev-

eryday.

APOPPcart,decoratedwiththecampaignlogo,isvis-

ibleatemployeeevents.PrivacyofficestaffdistributePOP-

PcornandPOPP-Tarts®,aswellasthank-youbasketsto

workforcemembers.Staffmembersalsocreatedbright

andcolorfulposters,withphotographsofworkforcetes-

timonialsfromstaffdemonstratinghowtheyprotectpa-

tientprivacy.Thecampaignalsoincludesweekly“POPP

Pointers”toremindworkforcemembersaboutHIPAAbest

practices.

Workforcememberscanparticipateincontestsandraf-

flesforprizegiveawaysbysubmittingentriesthatdescribe

howtheyPOPP.Prizesincludeitemssuchasgiftcertifi-

catestoBoston’sPopsRestaurant,ticketstothe

BostonPopsOrchestra,orabagfromtheCoach™

Poppyline.

MoranisproudofMGH’scommitmentandhopesthat

sharingherfacility’scampaigncanhelpotherhospitals

findwaystoincreaseHIPAAawarenessamongtheirstaff

members.

Source: TheNo-HassleGuidetoHIPAAPolicies:APrivacyandSecurityToolkit, Updatedfor2009, published by HCPro, Inc.



Sample privacy and security incident response policy

Title:Privacyandsecurityincidentresponse

Policy:Thisorganizationwilldevelopandmaintainaprivacyandsecurityincidentresponseplanthatincludesreportingof

asuspectedincident,theresponseteam’scompositionandresponsibilities,andprocessesforinvestigationandmanagement

ofthisorganization’sresponse,includingexternalnotificationasappropriateandmitigationofanyharmfuleffectsofthe

incident.

Purpose:Thispolicyisdesignedtomitigateanyharmfuleffectsofaprivacyorsecurityincidentrelatedtoourprotected

informationandsystemassets,andtoreducethelikelihoodofasimilarincidentinthefuture.Italsoisintendedtocomply

withregulatoryrequirements,including,butnotlimitedto,HIPAA’sprivacyandsecurityrulesandtheAmericanRecoveryand

ReinvestmentActof2009(RecoveryAct).

Scope:Thispolicyappliestoincidentsincludingviolationsofourprivacyandsecuritypoliciesandproceduresbyworkforce

andagentsandbreachesbyknownorunknownexternalparties.HIPAA’sSecurityRuledefinesa“securityincident”asan

“attemptedorsuccessfulunauthorizedaccess,use,disclosure,modification,ordestructionofinformationorinterferencewith

systemoperationsinaninformationsystem.”Thispolicyspecificallyextendstoourconfidentialinformationassetsinanyform

andisnotlimitedtoelectronicsystems,devices,andmedia.

GENERAL RULES:

1. Reporting

Proceduresandmechanisms(e.g.,Webformorhelpdeskcalls)willbedevelopedandmaintainedforreportingsuspected

andactualprivacyandsecurityincidents.Thesewillbereadilyavailabletoourworkforce,ouragentsandpartners,andour

patientsandcustomers.

2. Incident criticality

Guidelinesforcategorizinganincident’scriticalitywillbedevelopedandmaintainedtoensurethatourresponseactionsare

timedappropriatelyfortheleveloftheincident’sactualorpotentialimpactontheorganizationandthepeopleweserve.

3. Incident response team (IRT)

Atwo-tieredIRTwillbeestablishedandmaintainedwithacoreorprimaryteamoffirstrespondersandasecond-tierteam

ofexpertsincludedonanas-neededbasis.Theresponseteamleaderwillhaveadesignatedbackupatalltimes.Roles,re-

sponsibilities,linesofauthority,communicationsandcalllists,andotherrelevantmaterialswillbedocumentedandkept

current.

4. Response guidelines

Guidelineswillbedeveloped,reviewed,andmaintainedforkeystepsinourresponseprocess.Thesewillinclude,butnotbe

limitedto,computerforensicsmeasures,communicationswithlawenforcement,andlegalsteps.

5. Breach notification

Asacriticalpartofourresponseguidelines,detailedbreachnotificationprocedureswillbedevelopedandkeptuptodate

withstateandfederallegalrequirements.Theseprocedureswillincludemeanstodeterminewhethertheinformationwas

encrypted,thenumberofindividualswhoserecordshavebeenbreached,andindividuals’namesandcontactinformation.

Notificationprocedureswillincludetimeliness,content,andmeansofnotifyingindividualsasrequiredundertheRecovery

ActTitleXIIISubtitleD.ProcedureswillalsodescribewhengovernmentagenciessuchastheU.S.DepartmentofHealthand

HumanServicesmustalsobenotified.



6. Documentation

Wewilldevelopandsecurelymaintainanincidentdatabaseforthepurposesoftrackingincidentscurrentlyunderinves-

tigationandretrospectiveperiodicreviewofincidents.Thesedetailedrecordswillbeclassifiedasconfidentialbusiness

materials.

7. Post-incident wrap-up

Wewilldevelopandmaintainaprocessforpost-incidentreview.Thisprocesswilllookforlessonslearnedanddetermineif

longer-rangeactionsareneededtopreventsimilarincidentsinthefuture.

8. Testing

Wewillperiodicallyreviewandtestourincidentresponseprocesses.Wewillupdateprocessesasneededforcontinuous

improvement.

9. Business associates (BA)

OurincidentresponseprocedureswillbecoordinatedandtestedwithourBusinessAssociates(BA)andotherthirdparties

asappropriate.BAswillberequiredtodemonstratetheirregulatorycomplianceasitaffectsourprotectedhealthinforma-

tion(PHI)andotherconfidentialinformationassets.

10. Incident examples

Someexamplesofprivacyandsecurityincidentsinclude,butarenotlimitedto,thefollowing:

➤ Aworkforcememberoragentwithauthorizedaccesstoadatabaseknowinglyviewingarecordinthedatabase

whenthereisnobusinessreasontodoso.Thisisapolicyviolation,eveniftheindividualdoesnotredisclosethe

contentofthe record.

➤ AworkforcememberwhopressuresanotherworkertosharehisorheruserIDandpassword,eveniftheintentisfor

businesspurposes.

➤ Aworkforcememberwholeavesanunattendedworkstationinanopenworkarealoggedontoconfidential

data.

➤ AworkforcememberdownloadingsoftwarethatisnotpermittedundertheAcceptableUsePolicy.

➤ Anunauthorizedthirdparty(“hacker”)usingavaliduserIDandpasswordtogainaccesstoourelectronicnetwork

and/orsystems.

➤ Anunauthorizedthirdpartyseekingconfidentialinformation,suchasapassword,bypretendingtobeanindividual

authorizedtoobtainsuchinformation(“socialengineering”).

➤ AnemailpurportingtobefromanauthorizedpartyorotherfalsecredentialsusedtoobtainPHIorotherconfidential

information.

➤ Asoftwarevirusorworm(“malware”)interferingwiththefunctioningofpersonalcomputersthatarepartofan

informationsystem.

➤ Anindividualpresentingasapatientbutwithfalsifiedidentification(medicalidentitytheft).

Sample privacy and security incident response policy (cont.)

Source: TheNo-HassleGuidetoHIPAAPolicies:APrivacyandSecurityToolkit, Updatedfor2009,published by HCPro, Inc.



Sample privacy and security violations sanctions policy

Title:Privacyandsecurityviolationssanctions

Policy:Violationsofourprivacyandinformationsecuritypoliciesandproceduresaretakenseriouslyandwillresultin

sanctions.Theworkforcewillberemindedatleastannuallythroughourworkforceawarenessprogramofthepotential

consequences.

Sanctionsmayinclude:

➤ Oralorwrittenwarnings

➤ Immediateterminationofemployment,ofworkagreementwithstudents/traineesandvolunteers,and/orofbusiness

contract,asappropriate

➤ Externalreporting,possiblyresultingincivilandcriminallegalconsequences:

– Togovernmentagencies,suchastheSecretaryofHealthandHumanServices

– Tolawenforcement

– Tolicensingandregistrationboards

Purpose:Thisorganizationiscommittedtoensuringtheprivacyandsecurityofinformationunderourprotection.Weintend

thesesanctionstoserveasadeterrenttoviolations.UnderregulationssuchasHIPAAPrivacyandSecurityrules,weareobli-

gatedtoenforceourprivacyandsecuritypoliciesandprocedures.Therefore,whensuchpoliciesandproceduresareviolated,

wewillrespondbymitigatingbreachesandsanctioningthoseresponsible.

Scope:Thispolicyappliestoourfullworkforce.Itcoversallprivacyandinformationsecuritypolicies,standards,rules,and

procedures.Further,itappliesevenwhenaninstanceisnotexplicitlyprohibited,butwhenitisclearlycountertotheintent

of thebodyofpolicies,procedures,etc.

GENERAL RULES:1. Reporting

Workforcemembersandbusinessassociatesmustreportactualandsuspectedviolationsandbreaches.Failuretoreporta

breachofwhichonehasknowledgemayresultindisciplinaryaction.Falselyreportingabreachinbadfaithorformalicious

reasonswillresultindisciplinaryaction.

2. Sanctions

Workforcesanctionswillbebasedon:

➤ Theseverityoftheviolationanditsimpact

➤ Whethertheviolationwasintentionaland,ifso,whattheintentwas

➤ Whethertheviolationispartofapatternofimproperbehaviorregardingprivacyandsecurity

Mitigatingfactorswillbeconsidered.

Thisorganizationwillproactivelydevelopandmaintainsanctionguidelinesthat(a)reflecttheabovefactorsand(b)apply

todifferentgroupswithintheorganization’sworkforce(suchasemployees,doctors,volunteers,etc.).Theseguidelineswill

beusedtoassistinhandlingspecificcases.Inaddition,guidelineswillbedevelopedtospecifywhointheorganization

willdeterminewhenthemostserioussanctionsaretobeinvoked,suchasnotifyinglawenforcement.

3. Sanction review

Beforeitisimposed,aproposedsanctionwillbereviewedbytheprivacyofficer(PO)and/orinformationsecurityofficer

(ISO)toensureappropriateness,consistency,andfairnessacrossallmembersoftheworkforce.

4. Documentation

Eachcasewillbedocumentedandfiledintheworkforcemember’srecord,whereitwillberetainedforaminimum

ofsixyears.(NotethatthisdocumentationisdistinctfromtheincidentreportingandresponseformkeptbythePO

andISO.)



Documentationmustinclude:

➤ Nameofworkforcemember

➤ Name(s)androle(s)ofdecision-maker(s)forthecase

➤ Descriptionoftheviolation(withoutinclusionofanyprotectedinformationexceptif/asnecessary)

➤ Othercircumstances,eithermitigatingordamaging

➤ Date(s)andtime(s)ofviolation

➤ Realandpotentialconsequences

➤ Sanction(s)applied(includingacompleterecordofanyexternalreporting)

5. Incident analysis and mitigation

Duringandfollowingthisprocess,theorganizationwillanalyzetheconsequencesofthebreachorviolationandconsider

whethermitigationmeasuresmustbetakentoprotectapatient,astaffmember,theorganization,etc.Thisprocessispartof

thisorganization’sprivacyandsecurityincidentresponseplan.

6. Exceptions

WorkforcemembersarenotconsideredtohaveviolatedHIPAAifthedisclosureofPHIisasfollows.

Whistleblowers:Sanctionswillnotapplytodisclosuresbyworkforcemembersactingingoodfaith:

➤ Inthebeliefthatthisorganizationhasengagedinconductthatisunlawfulorotherwiseviolatesprofessionalorclinical

standards;

➤ Orthatcareorservicesprovidedbythisorganizationpotentiallyendangerpatients,employees,ormembersofthepublic;

➤ Orthedisclosureismadetoafederalorstatehealthoversightagencyorpublichealthauthorityauthorizedbylawto

overseetherelevantconductorconditionsofthecoveredentity;

➤ Orthedisclosureismadetoanappropriatehealthcareaccreditationorganizationforthepurposeofreportingthe

allegationoffailuretomeetprofessionalstandardsormisconductbythisorganization;

➤ Orthedisclosureismadetoanattorneyretainedbyoronbehalfoftheworkforcememberorbusinessassociatefor

thepurposeofdetermininglegaloptionsregardingdisclosureconduct

Crimevictims:AcoveredentityisnotconsideredtohaveviolatedHIPAA’sPHIuseanddisclosurerequirementsifamember

ofitsworkforcewhoisthevictimofacriminalactdisclosesPHItoalawenforcementofficialaboutthesuspectedperpetra-

torofthecriminalact,andthedisclosedPHIislimitedtoidentificationandlocationpurposes.

7. Nonretaliation

Thisorganizationwillnotintimidate,threaten,coerce,discriminateagainst,ortakeanyotherretaliatoryactionagainstan

individualwho:

➤ Exerciseshisorherrightsorparticipatesinthisorganization’scomplaintprocess;or,

➤ FilesacomplaintwiththeSecretaryofHealthandHumanServices,OfficeforCivilRights,orCentersforMedicare&

MedicaidServices;or,

➤ Testifies,assists,orparticipatesinaninvestigation,compliancereview,proceeding,orhearing;or,

➤ OpposesanyactorpracticeunlawfulunderHIPAA,providingthattheindividualactedingoodfaith,believingthatthe

practicewasunlawful,themannerofoppositionisreasonable,andtheoppositiondoesnotinvolvedisclosureofPHIin

violationofHIPAAregulations

Sample privacy and security violations sanctions policy (cont.)

Source: TheNo-HassleGuidetoHIPAAPolicies:APrivacyandSecurityToolkit, Updatedfor2009,published by HCPro, Inc.



BOH Subscriber Services Coupon Your source code: N0001

Name

Title

Organization

Address

City State ZIP

Phone Fax

Email address(Required for electronic subscriptions)

q Payment enclosed. q Please bill me.

q Please bill my organization using PO #

q Charge my:qAmEx qMasterCard qVISA qDiscover

Signature(Required for authorization)

Card # Expires(Your credit card bill will reflect a charge from HCPro, the publisher of BOH.)

q StartmysubscriptiontoBOHimmediately.

Options No. of issues Cost Shipping Total

q Print&Electronic 12issuesofeach $349(BOHPE) $24.00

q Electronic 12issues $349(BOHE) N/A

Sales tax (see tax information below)*

Grand total

Order online at www.hcmarketplace.com.

Be sure to enter source code N0001 at checkout!

Mail to:HCPro, P.O.Box3049,Peabody,MA01961-3049Tel:800-650-6787Fax:800-639-8511Email:[email protected]:www.hcmarketplace.com

For discount bulk rates, call toll-free at 888-209-6554.

*Tax InformationPlease include applicable sales tax. Electronic subscriptions are exempt. States that tax products and shipping and handling: CA, CO, CT, FL, GA, IL, IN, KY, LA, MA, MD, ME, MI, MN, MO, NC, NJ, NM, NV, NY, OH, OK, PA, RI, SC, TN, TX, VA, VT, WA, WI, WV. State that taxes products only: AZ. Please include $27.00 for shipping to AK, HI, or PR.

Help workforce learn from the mistakes of others Experience is said to be the best teacher, so learn from

the mistakes made at other organizations.

Incorporate the following scenarios and OCR resolution

agreements during HIPAA training at your organization.

Medical record copy feesA patient complained that a covered entity failed to

provide access to his medical records.

OCR notified the covered entity of the allegation. The

entity released the patient’s medical records, but also

billed him $100.00 for a “records review fee” and an

administrative fee.

The HIPAA Privacy Rule permits the imposition of a

reasonable cost-based fee that includes only the cost of

copying and postage and preparing an explanation or

summary if agreed to by the individual.

To resolve this matter, the covered entity refunded the

$100.00 “records review fee.”

Telephone messages A hospital employee failed to observe minimum nec-

essary requirements when she left a telephone message

with the daughter of a patient that detailed her medical

condition and treatment plan.

An OCR investigation indicated that the confidential

communications requirements were not followed be-

cause the employee left the message at the patient’s home

despite the patient’s instructions to call her at work.

To resolve the issues in this case, the hospital devel-

oped and implemented new procedures. Employees

were trained to provide only the minimum necessary

information in messages and received specific direc-

tion regarding what information could be left in a

message.

Employees also were trained to review registration

information for patient contact directives regarding mes-

sages. The new procedures were incorporated in stan-

dard privacy training, both as part of a refresher series

and mandatory annual compliance training.

Former spouse’s medical recordsA nurse practitioner who has privileges at a multi-

hospital healthcare system impermissibly accessed the

medical records of her former husband.

To resolve this matter and to prevent a recurrence, the

covered entity terminated the nurse practitioner’s access

to its electronic records system, reported her conduct to

the appropriate licensing authority, and gave her reme-

dial Privacy Rule training. n

Editor’snote:AdditionalinformationaboutOCRresolu-

tionagreementsisavailableathttp://www.hhs.gov/ocr/

privacy/hipaa/enforcement/examples/casebyentity.

html#2generalhospital.



Q Other provider offices, pharmacies, and labora-

tories contact our office when our patients don’t

provide all of the insurance information necessary

for billing purposes. This occurs when patients don’t

return telephone calls. Is providing this information

without contacting the patient permissible?

A Yes. The Privacy Rule permits covered entities

to share PHI with other covered entities (e.g.,

providers, pharmacies, laboratories) without patient

authorization if: (1) the information is needed for the

other covered entity’s healthcare operations, and (2)

both covered entities have a relationship with the

patient.

Q Does HIPAA require medical facilities to notify

patients when they are going out of business?

Must a medical facility that is going out of business

notify patients and provide a location where patient

records are accessible? How long after closing must

records be accessible?

A The Privacy Rule does not require medical

facilities to notify patients when they go out of

business, but state law may do so.

Laws vary from state to state, but many states de-

scribe specific processes for providing notice to patients

so they may obtain copies of their records. Records

must remain accessible for the minimum retention

period required by state law.n

Editor’snote:Brandtisvicepresidentofhealthinformation

managementatScott&WhiteHealthcareinTemple,Texas.

She isanationallyrecognizedexpertonpatientprivacy,infor-

mationsecurity,andregulatorycompliance.Herpublications

providedsomeofthebasisforHIPAA’sprivacyregulations.

byMaryBrandt,MBA,RHIA,CHE,CHPS

Q As part of its fundraising effort, Hybrid

Entity’s cancer center wants to send a patient

list (demographic information only) to Hybrid’s

development office, which is not designated as

a healthcare component of Hybrid. Is this permissible?

ABC is sharing demographic information only.

Does generation of this list by a specialty clinic divulge

information about the type of treatment?

A Covered entities may use or disclose limited PHI

to business associates or institutionally related

foundations for fundraising.

The development office is considered part of Hybrid

Entity and does not have to be specifically designated

as a healthcare component. Patient authorization is

not required to use PHI for fundraising, but covered

entities must tell patients about this use in their Notice

of Privacy Practices.

A patient list from the cancer center may reveal

general information about a patient’s condition, but

using only demographic information and dates of

service for internal fundraising is acceptable.

Q Does accessing your own medical records violate

HIPAA? Hospital policy prohibits employees from

accessing their own medical records.

A The Privacy Rule gives individuals the right to

access their PHI, but many healthcare organi-

zations require employees to request copies of their

PHI like any other patient. If hospital policy prohibits

employees from directly accessing their own records,

the hospital may enforce that policy, as long as it

gives employees another channel to request access to

their records.

HIPAA Q&A

Fundraising, other providers, going out of business



Compliance building blocks

Responding appropriately to complaints of noncompliance

An important part of a compliance officer’s job is

responding to noncompliance complaints.

A process and procedures to ensure that anyone who

complains about noncompliant activities will not be

subject to retaliation is necessary, says Frank Ruelas,

MBA, principal of HIPAA College in Casa Grande, Ariz.

Complaints may be perceived negatively, but they

have a positive side, Ruelas says. Consider medication

errors. If staff members don’t report them, the incidence

may appear low when, in fact, a bigger problem exists.

A measure of effectiveness

Complaints can be an indicator of program effective -

ness. Awareness of a problem allows you to educate your

workforce and correct mistakes, he says.

Train your workforce on how to report items that

must come to your attention, he says. You want staff

members to report possible violations, especially if they

suspect incidents might result in a breach of PHI. If staff

members are not following policies and procedures de-

signed to protect privacy and security, you want to know

about it.

Monitor all complaints

Compliance officers must carefully monitor complaints.

How many occur monthly? What is their origin? Does one

area generate more complaints than others? Investigate

why this is happening. Are complaints not reaching the

compliance officer? Why not? Is a department director

acting as a filter so that incidents aren’t reported?

A compliance officer must have access to the CEO and

board of trustees to facilitate reporting complaints and

problems to the highest level of authority, he says. The

path should be as clean as possible.

Nonretaliation for reporting

If someone reports a compliance problem in good

faith, there must be a clear expectation of nonretaliation,

Ruelas says. You want individuals with good intent to

come forward with any compliance incidents. Educate

staff about whistleblower protections.

A process for complaints

Create a process for alerting the compliance officer

about complaints. Problems can be reported in writing,

electronically, in person, or via recorded messages left on

a hotline.

Regardless of method, ensure that staff have the abil-

ity to raise a red flag about compliance problems. Many

organizations create hotlines to allow workforce mem-

bers and patients to report complaints. Some organiza-

tions encourage workforce members to fax complaints to

a designated location.

Ensure that new workforce members know how to

submit complaints and remind all workforce members

about the submission process via newsletters and email.

Create a process to ensure that you deal with complaints

and respond to them.

Internal and external complaints

Staff and patients may also file external complaints

with a federal agency. If this occurs, remain focused.

Don’t get personally involved; keep your mind on the in-

cident, says Ruelas. “This may be one of the most difficult

mental and professional hurdles to overcome,” he says.

Maintain a neutral perspective, identify the relevant facts,

and move forward. Don’t let anything compromise your

review of and response to a complaint, he says.

Consider whether you have resources to investigate.

At times, you may need assistance. Some issues could be

so complex or volatile that you need a third party to help

investigate them, Ruelas says.n

Editor’snote:Thisisthefourthpartinourseriesoncompli-

ancefeaturingRuelas.Inthisseries,heintroducesbasicprinci-

plesprovenhelpfulinestablishingeffectivecomplianceprograms.

A supplement to Briefings on HIPAA

A training tool for healthcare staff

Privacy & SecurityPrimer

BOH, P.O. Box 3049, Peabody, MA 01961-3049 Phone: 781-639-1872 Fax: 781-639-7857

Privacy & Security

October 2012

PrimerTips from this month’s issue

Incident response teams (p. 1)

1. An organization’s incident response team should

include representatives from these departments:

− Legal and risk management

− PR

− Human resources

− Information security

− Compliance/privacy officers

− Police and security

− Physicians and/or chiefs

− Research and the institutional review board

2. HHS issued interim final breach notification regu-

lations in August 2009, as required by the HITECH

Act—rules expected to be finalized very soon.

Access the regulations at www.hhs.gov/ocr/privacy/

hipaa/administrative/breachnotificationrule/index.html.

3. If an incident is reported or detected, you should

have a team in place to quickly determine the

impact and magnitude of the incident and decide

how to respond to meet data breach requirements.

4. When an incident occurs within a covered entity,

it should be viewed as a hospital management

issue rather than a privacy office problem. It could

involve many individuals and several departments.

5. Knowing how the incident occurred and why is

critical. An incident response team enables everyone

to hear the same information at the same time.

6. When a breach occurs, conduct a root cause

analysis. This can help prevent future breaches.

Privacy and security incident response

policy (p. 6)

7. Develop and maintain a privacy and security

incident response plan that includes reporting of a

suspected incident, the response team composition

and responsibilities, and processes for investigation

and management of the organization’s response,

including external notification as appropriate and

mitigation of any harmful effects of the incident.

8. Design a policy to mitigate any harmful effects of

a privacy or security incident related to protected

information and system assets, and to reduce the

likelihood of a similar incident in the future.

9. Design a policy that addresses reporting, incident

criticality, the incident response team, response

guidelines, breach notification, documentation,

post-incident wrap-up, testing, business associates,

and incident examples.

10. Examples of privacy and security incidents include:

− A workforce member with authorized access to a

database knowingly viewing a record in the data-

base when there is no business reason to do so

− A workforce member who pressures another

worker to share his/her user ID and password

− A workforce member who leaves an unattended

workstation in an open work area logged on to

confidential data

− A workforce member downloading software that

is not permitted under the acceptable use policy


Privacy and Security Primer is a monthly, two-page Briefings on HIPAA insert that provides background information that privacy and security officials can use to train their staff. Each month,

we discuss the privacy and security regulations and cover one topic. October 2012.

− An unauthorized third party using a valid user ID

and password to gain access to an electronic net-

work and/or systems

− An unauthorized third party seeking confidential

information by pretending to be an individual

authorized to obtain such information

− An email purporting to be from an authorized

party or other false credentials used to obtain PHI

or other confidential information

− A software virus or worm interfering with the

functioning of personal computers that are part

of an information system

− An individual presenting as a patient but with

falsified identification

Privacy and security violations sanctions

policy (p. 8)

11. Organizations should develop a policy that ensures

that privacy and security violations are taken

seriously and result in sanctions. Remind the

workforce of the potential consequences annually

through a workforce awareness program.

12. Privacy and security violations sanctions may include:

− Oral or written warnings

− Immediate termination of employment, of work

agreement with students/trainees and volunteers,

and/or of business contract, as appropriate

− External reporting, possibly resulting in civil and

criminal legal consequences:

− To government agencies, such as the Secretary

of Health and Human Services

− To law enforcement

− To licensing and registration boards

13. An organization should not intimidate, threaten,

coerce, discriminate against, or take any other

retaliatory action against an individual who:

− Exercises his or her rights or participates in the

organization’s complaint process

− Files a complaint with the Secretary of Health

and Human Services, OCR, or CMS

− Testifies, assists, or participates in an investigation,

compliance review, proceeding, or hearing

− Opposes any act or practice unlawful under

HIPAA, providing that the individual acted

in good faith, believing that the practice was

unlawful, the manner of opposition is reason-

able, and the opposition does not involve disclo-

sure of PHI in violation of HIPAA regulations

Compliance building blocks (p. 12)

14. Train your workforce how to report possible

violations, especially if they suspect incidents

might result in a breach of PHI.

15. Compliance officers must carefully monitor com-

plaints. How many occur monthly? What is the

origin? Does one area generate more complaints

than others? Are complaints not reaching the

compliance officer? Why not?

16. A compliance officer must have access to the

organization’s CEO and board of trustees to facili-

tate reporting complaints and problems to the

highest level of authority. The path should be as

clean as possible.

17. If someone comes forward in good faith to report a

compliance problem, there must be a clear expec-

tation of nonretaliation. You want individuals

with good intent to come forward with any

incidents related to compliance with all federal

regulations, including HIPAA. Educate staff about

whistleblower protections.

18. Ensure that new workforce members know how

to submit complaints to the compliance officer and

remind all workforce members of the submission

process via newsletters and email. Create a pro-

cess to ensure that you deal with complaints and

decide how to respond to them.

incident response team establish your team planning ahead ... · resulted in the resolution...

Documents