law seminars international cloud computing: law, risks and opportunities developing effective...

LAW SEMINARS INTERNATIONALCLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES

Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s Data Breach

Requirements

December 13, 2010

Renee H. Martin, JD, RN, MSNTsoules, Sweeney, Martin & Orr, LLC

29 Dowlin Forge RoadExton, PA 19341

Tel.: (610) 423-4200Fax: (610) 423-4201

E-mail: [email protected]

Copyright © 2010 Tsoules, Sweeney, Martin & Orr, LLC 22

HIPAA Basics

Who is covered?

n Health Plans

Health care clearinghouses

Health care providers who transmit any IIHI/PHI in electronic form in connection with transaction codes.


What is covered?


Individually Identifiable Health Information (IIHI)

Health information including demographics that: Is created or received by a health care provider,

health plan, or health care clearing house and Relates to the past, present or future physical or

mental health or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that

Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.


Protected Health Information (PHI)

Individually identifiable health information that is: Transmitted by electronic media Maintained in any electronic media Transmitted or maintained in any other form

(including oral or written PHI)

BREACH NOTIFICATION

Prior to HITECH Act No HIPAA Data breach notification requirement, but

may have been part of mitigation Most states have notification requirements

HITECH: First federal law mandating breach notification Affects covered entities, business associates,

vendors of personal health records, and PHR service providers

HHS interim Final Regulations – 9/23/09 Breach Notification Enforcement – 2/23/10

Copyright © 2010 Tousles, Sweeney, Martin & Orr, LLC 6


Key DefinitionsHITECH Act

Breach

The term “breach” means the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) which compromises the security or privacy of the PHI such that it poses a significant risk of financial, reputational, or other harm to the individual

Unsecured PHIPHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS; PHI must be rendered unusable, unreadable, or indecipherable to unauthorized individuals


Privacy & Security BreachesHITECH Act Requirements

Covered entities must notify individuals whose unsecured PHI has been or is reasonably believed to have been accessed, acquired or disclosed as a result of a privacy or security breach

If the breach is discovered by a business associate then the business associate is required to notify the covered entity of the breach Including providing information about the identification of each

individual who has been or is reasonably believed to have been affected by the breach

Breach notices must be sent without unreasonable delay and in no case later than 60 calendar days after discovery

A breach is “discovered” on the first day on which such breach is known to the covered entity or the business associate

If breach involves more than 500 residents of a state, then prominent media & Secretary of HHS must be sent notice


Business AssociatesNew MandatesBusiness associates: Are now subject to the administrative, physical and technical

safeguard security requirements of the HIPAA Security Rule Must develop policies, procedures and documentation of

security activities Are prohibited from making any use or disclosure of PHI that is

not in compliance with each of the required terms of a HIPAA BAA

That violate the HIPAA Security Rule or the terms of the BAA are now subject to the same civil and criminal penalties as covered entities

Health Information Exchanges (HIE): Are business associates and must enter into a BAA with the

covered entity


Methods for Securing PHI

HHS has identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals

1. Encryption2. Destruction

The successful use of encryption depends upon two main features:

1. The strength of the encryption algorithm2. Security of the decryption key or process

Destruction of PHI– Paper – Shredded or destroyed such that PHI cannot be

read or reconstructed– Electronic – Cleared, purged, or destroyed such that PHI

cannot be retrieved


ACTIONS TO TAKE

Review Notice of Privacy Practices and update accordingly to reflect changes in privacy and security policies

Review and modify HIPAA privacy and security policies and procedures to include new requirements and to comply with timeframes

Compile list of business associates and expand it to include vendors

Identify other entities with which you share PHI that may now qualify as BAs and require BA agreement

(Continued)


ACTIONS TO TAKE

Draft new BA agreement and update existing agreements to comply with HITECH Act’s expanded new requirements

Develop or modify existing Breach Notification Policies that comply with HITECH Act’s federal breach notification provisions and any state law counterparts

Notify BAs of the security rule, notification, and enforcement penalty changes of HITECH Act

Review and update employee manuals and training programs

Reevaluate how patient complaints are handled Document each step taken to become compliant


How will your

organization respond to a

Breach?


Investigating and Responding to Suspected Breaches Before a breach occurs, have a plan

Goal is to avoid a breach, if that fails, follow your plan

Respond immediately and appropriately

Prepare to spend money and time to address properly

The investigation and response will take longer than you think

Even small breaches need thorough investigation and response


WHETHER TO NOTIFY INDIVIDUALS OF BREACH

1. Determine whether there has been an impermissible acquisition, access, use or disclosure of PHI in violation of the Privacy Rule.

2. Conduct through internal investigation, forensic assessment

3. Did the use, access, acquisition actually constitute a breach? Determine risk of harm. If it is a breach then….

4. Who impermissibly used/disclosed PHI and who were the recipients?

5. Can the impact of the harm be mitigated? For example, was the impermissibly disclosed PHI returned before an improper use?

6. What was the type and amount of PHI involved in the impermissible use or disclosure?

7. Document results of risk of harm assessment


Notice to individuals must contain at minimum

1. Circumstances of breach, plus dates of breach and discovery

2. Types of PHI involved (e.g., name, social security number, etc.)

3. Steps for individual to take to protect against potential harm

4. Steps CE is taking to investigate, mitigate losses and protect against further breaches

5. Contact procedures (toll free phone number, e-mail address, website or postal address)


Responding to BreachesStep-by-Step

1. Assemble an in-house multidisciplinary response team (management, board, IT, compliance, legal, communications, privacy officer, security officer, others).

2. Identify potential stakeholders.

3. Implement response plan-should have draft patient notification letters ready to go. Contract with credit monitoring agency (in advance).

4. Develop and implement internal and external communications strategy (including notice to patients , stakeholders, regulatory agencies).

5. Prepare customer service representatives (hire if needed to handle influx of calls).

6. Conduct final assessment and lessons learned.

7. Employee discipline-HR follow-up.

law seminars international cloud computing: law, risks and opportunities developing effective...

Documents