security breach notification © 2009 fox rothschild a webinar for the medical society of new jersey...

Security Breach Notification

© 2009 Fox Rothschild

A Webinar for theMedical Society of New Jersey

October 28, 2009Presented by

Helen Oscislawski, Esq.


HITECH & New Jersey Law



HITECH Breach Notification Laws

§ 13402 Health Information Technology for Economic and Clinical Health Act (“HITECH”) (February 17, 2009).

Breach Notification Guidance and RFI (74 FR 19006, April 17, 2009).

Breach Notification for Unsecured Protected Health Information – HHS’ Interim Final Rule (74 FR 42740, August 24, 2009).

FTC also released rules for “Vendors” of PHRs.



HITECH Breach Notification Laws

Effective date is September 23, 2009; however, HHS will not enforce compliance with penalty assessments until February 22, 2010.

The “Harm” threshold controversy- Letter from Congress to HHS Secretary re: repeal “harm”

threshold (October 1, 2009).- Letter from AHA to HHS Secretary re: “harm” threshold should

remain (October 23, 2009). Comments to Interim Final Rule were due October 23,

2009. Remains to be seen if Interim Final Rule will be

modified….



New Jersey Breach Notification Law

New Jersey Identity Theft Prevention Act, NJSA. 56:8-161 et seq. (“NJITPA”) (effective January 1, 2006).

NJITPA Rule, NJAC 13:45F, reserved Subchapter 3 - Breach of Security Provisions (adopted April 7, 2008).

Notice of Notice of Pre-Proposal - Identity Theft, Written Security Programs and Violations (issued December 15, 2008). Comments were due February 13, 2009. No final rule yet…….



HITECH-State Law Preemption

With regard to Security Breach Notification requirements, HHS specifically stated in its Interim Final Rule:

“covered entities will need to analyze relevant State laws with respect to this regulation to understand the interaction and apply this preemption standard appropriately.”

74 FR at 42756.



HITECH Preemption Standard

§ 13421 of HITECH: A provision or requirement under HITECH

will supersede any contrary provision of a state law except if the

provision of State Law:(a) is a provision the Secretary determines— (i) is necessary: to prevent fraud and abuse; or to ensure appropriate State regulation of insurance and health plans; or for State reporting on health care delivery or costs; or for other purposes; or (ii) addresses controlled substances;or (b) relates to the privacy of individually identifiable health information and imposes a more stringent standard or requirement than HITECH.



Compliance Checklist Complete preemption analysis of security breach

notification standards under HITECH and HHS Interim Final Rule, and NJITPA

Develop and implement Security Breach Policies and Procedures.

Develop Risk Assessment for documenting “Harm” assessments.

Develop and Use a “Notification Letter” for notifying individuals.

Assign a “1-800” number to receive questions about breaches.

Revise Business Associate Agreements. Revise HIPAA policies and procedures. Train Employees. Enforce Sanctions.



Complete Preemption Analysis

Compare Definitions of Terms, Scope of Applicability and Procedural Requirements.

Detail intensive legal analysis. Any two items that are not “contrary

to” one another need to both be followed.



WhoWho Does the Law Apply To?

HITECH New Jersey

Covered Entities Business Associates

Businesses Public Entities



WhatWhat Info Is Covered?

HITECH New Jersey “Protected Health Information” (almost everything, excluding de-identified data, and Limited Data Sets minus DOB and Zip). Broader.

“Personal Information” (only individual’s name or first initial and last name linked with 3 pieces of data).

Much Narrower.



What MediumMedium is Covered?

HITECH New Jersey

Electronic. Paper. Oral.

Electronic only!



What Constitutes a “BreachBreach”

HITECH New Jersey Unauthorized acquisition, access, use or disclosure [i.e., in violation of Privacy Rule] of [unsecured] PHI which compromisescompromises the security of PHI. There is a significant “Risk of Harm.” [controversial]

Unauthorized access to electronic files, media or data containing [unsecured] PI that compromisescompromises the security, confidentiality or integrity of such PI. “Misuse” reasonably possible.



“SecuredSecured” PHI

HITECH New Jersey Unusable, unreadable or indecipherable by:

- Encryption - Destruction - Per NIST’s standards

Firewalls, Access Controls, Redaction are NOT enough.

Encryption “Any other method or technology that renders the PI unreadable or unusable.” [“any other method” if not recognized under HITECH would be preempted]



UnauthorizedUnauthorized Use or Access

HITECH New Jersey

Violates the Privacy Rule.

Not specifically defined.



What are the ExceptionsExceptions?

HITECH New Jersey

“Unintentional.” “Inadvertent.” “Not Retained.”

“Good Faith Acquisition” by employee or agent. Legitimate business purpose. Not further used or disclosed.



HITECH Breach Exceptions

1. UNINTENTIONAL acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or a BA, if in good faith and within the scope of authority and does not result in further use or disclosure in violation of the Privacy Rule.

2. INADVERTENT disclosures by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same CE or BA or OHCA in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in violation of the Privacy Rule

3. RETENTION NOT POSSIBLE although disclosure of PHI was to an unauthorized person. CE or BA must have a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.



When You Are Deemed to “KnowKnow”

HITECH New Jersey Actual knowledge of the Breach. By exercising reasonable diligence “should have known” about the Breach. Imputed knowledge of employees and agents!!

Actual discovery of the Breach. Upon receipt of notice regarding the breach.



Potential Required Notices

HITECH New Jersey

Individual HHS Media

Individual Consumer Reporting Agencies Division of State Police



Timing of Individual Notice

HITECH New Jersey No unreasonable No unreasonable delaydelay, in no case longer than 60 days60 days. Delay for Law Enforcement only if receive written communication that notice to individuals must be delayed for specific time period, or if oral, then document and delay no more than 30 days.

Most expedient time possible, without unreasonable delay. Must wait for law enforcement to make determination re: if investigation would be compromised (preempted, if causes delay more then 30 days).



Form of Individual Notice

HITECH New Jersey U.S. Mail. E-mail only if individual has specified. Substitute Notice only if:

- Out of date info- Lack info for 10 or more Individuals -Urgent Notice (i.e. by phone) if possible imminent misuse.

First class mail e-Mail Substitute notice if:

- cost of written notice would exceed $250K (preempted)- class of persons to be notified exceeds 500,000 (preempted)



Content of Individual Notice

HITECH New Jersey Brief description of what happened. What type of unsecured PHI was involved. Steps for individual to take. What is being done to investigate and mitigate. Contact information, including toll-free number, e-mail, Website or postal.

Description of categories of PI involved (e.g., SS#s). Information about FTCs website and its toll free number. Steps for individual to take. Steps being taken to prevent further breaches. Toll-free number or other means of contact for further info.



Notice to Agencies

HITECH New Jersey Less than 500 Individuals - Annual Log must be submitted to Secretary of Secretary of HHSHHS of all security breaches involving less than 500 individuals. 500 or More Individuals – Any breach involving 500+ individuals must be immediately reported to Secretary of HHS. HHS will post on their website.

Less than 1000 Individuals -Breaches where notices given to individuals shall be documented and made available for inspection by Dept. of Consumer Affairs, Dept. of Consumer Affairs, upon request. 1000 or more Individuals – must notify Consumer Reporting Agencies.



Notice to HHS: 500 or More

Without unreasonable delay. HHS website is set up for CE to submit notice at

http://transparency.cit.nih.gov/breach/index.cfm The notice must be submitted electronically by

following the HHS link and completing all information required on the breach notification form.

If a CE submitted a breach notification form to HHS and then discovers additional information to report, CE may submit an additional form, checking the appropriate box to signal that it is an updated submission.



Notice to HHS: < 500 Annual Notice must be submitted within 60

days of the end of the calendar year in which the breaches occurred.

Notifications of all breaches occurring after the effective date in 2009 must be submitted by March 1, 2010.

The notice must be submitted electronically by following the HHS link http://transparency.cit.nih.gov/breach/index.cfm

A separate form must be completed for every breach that has occurred during the calendar year.



Notice to Media Outlets

HITECH New Jersey If a security breach involves the PHI of 500 or More Individuals, – “prominent media outlets” serving the State or jurisdiction of such 500 or more Individuals must be provided.

No equivalent.



Notices to Law Enforcement

HITECH New Jersey There is no mandatory notification of law enforcement under HITECH.

In advance of providing any Individual with notice, the security breach must be reported to the New Jersey Division of State Police.



Develop and Implement Security Breach Policies and Procedures:

Auditing Reporting Procedures Training Business Associate Investigating Risk Assessment (evaluating “Harm”) Decision Tree Notifying Affected Individuals Notifying Law Enforcement Notifying federal and state agencies Mitigating Harm Corrective Action



Other Items on Checklist Documenting “Harm” assessments Notification Letter” for notifying individuals “1-800” to receive questions about security

breaches. Revise Business Associate Agreements - define

procedures for security breach notification; allocate responsibility and liability for:

1. failure to detect breach, 2. failure to notify, 3. costs associated with fault, 4. liability for penalties and other damages.

Revise HIPAA policies and procedures (e.g., mitigation).

Train Employees (very important due to imputed knowledge)

Enforce Sanctions.



Questions?

Helen Oscislawski, Esq.Attorney at Law

Fox Rothschild LLP997 Lenox Drive, Bldg. 3

P.O. Box 5231Princeton, NJ 08543-5231

609.895.3310 - [email protected]

View my blog at: http://hipaahealthlaw.foxrothschild.com

security breach notification © 2009 fox rothschild a webinar for the medical society of new jersey...

Documents

breach notification

security breach policies

breach of security provisions

notification letter

written security programs

provision of state law

njitpa rule

clinical health act