Walking Through the Breach Notification Process - Beginning to End

HIPAA COWPresentation and Panel

April 8, 2011

Panelists

Nancy Davis, Ministry Health Care

Beth Malchetske, ThedaCare

Peg Schmidt, Aurora Health Care

Teresa Smithrud, Mercy Health System

Overview

This presentation and panel discussion will address operationalizing the breach notification process within the covered entity.

Expert panelists will share best practices and lessons learned in the last year with compliance to HITECH’s breach notification requirement.

Objectives

Identify Breach Notification Resources for Developing an Internal Process and Response

Walk Through the Breach Notification Process from Beginning to End

Review Any New HITECH Impacts if Applicable

Panelist Discussion on Lessons Learned and Best Practices Developed

Audience Participation and Discussion

Resources

HIPAA COW HITECH Breach Notification Policy

All Inclusive Guidance

American Health Information Management Association (AHIMA)

North Carolina Healthcare Information and Communication Alliance (NCHICA)

Google!

Breach

Acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. For purpose of this definition, “compromises the security or privacy of the PHI” means poses a significant risk of financial, reputational, or other harm to the individual.

A use or disclosure of PHI that does not include the identifiers listed at §164.514(e)(2), limited data set, date of birth, and zip code does not compromise the security or privacy of the PHI.

Low-Risk HIPAA Violations – Exempt from Breach Notification

HITECH Guidance: Breach does not include: Good faith, unintentional acquisition, access, or use of

PHI by a workforce member of a CE, BA, or BA subcontractor

Inadvertent disclosure to another authorized person within the entity or its business associates

Recipient could not reasonably have retained the data

Data is limited to a limited data set that does not include dates of birth or zip codes

7

Investigation

Review the circumstances regarding the breach, conduct an investigation, complete a risk assessment, and determine necessary actions including involvement of enterprise, local, and legal counsel resources.

Coordinate communications with all involved in the investigation, including patients, licensing and accrediting organizations, state and federal governmental agencies, etc.

Investigation - Continued

Author, gather, maintain, and retain all related Breach investigation documentation (to be maintained for a minimum of six years).

Recommend resolution and corrective action steps (sanctions) to mitigate potential harm.

Report results of the investigation to involved persons, entities, and agencies as recommended and/or required by law.

Risk Assessment

Who impermissibly used or to whom was the information impermissibly disclosed?

The type and amount of PHI involved?

The potential for significant risk of financial, reputational, or other harm?

Risk Assessment - Resource

North Carolina Healthcare Information and Communication Alliance (NCHICA)*

HITECH Act Breach Notification Risk Assessment Tool

Flow Chart Report Form Score Card/Risk Score

*Nationally recognized nonprofit consortium dedicated to “improving health and care in North Carolina by accelerating the adoption of

information technology and enabling policies.”

Patient Breach Notification Letter

Content – The notice shall be written in plain language and must contain the following information: A brief description of what happened, including the

date of the breach and the date of the discovery of the breach, if known

A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved)

12

Letter - Continued

Any steps the individual should take to protect themselves from potential harm resulting from the breach

A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches

Contact procedures for individuals to ask questions or learn additional information

13

Breach Notification < 500

Office for Civil Rights For breaches that affect fewer than 500 individuals,

a covered entity must provide the Secretary with notice annually.  All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred (March 1, 2011). 

A separate form must be completed for every breach that has occurred during the calendar year.  

Breach Notification 500+

Office for Civil Rights If a breach affects 500 or more individuals, a covered

entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically.

Media Notice shall be provided to prominent media outlets

serving the state and regional area when the breach affects more than 500 patients.

Panelist Portion

Was Your Organization Ready for HITECH Breach Notification?

How Did You Prepare?

Policy DevelopmentStaff Training, Education, AwarenessBusiness Associate Relationships

What Was the Biggest Surprise in Implementing Breach Notification?

What Was the Most Valuable Lesson Learned?

What Best Practices Did You Develop?

What Are Your Ongoing Concerns?

Audience Participation

Lessons Learned

Totally Underestimated Impact on Daily Job Responsibilities

2008: 38 Internal Privacy Investigations 2009: 98 Internal Privacy Investigations (48 Last Q) 2010: 210 Internal Privacy Investigations

Initial Approach to Addressing “Harm” Was Probably Too Conservative

Partner with Collection Agency to Address Processes, Policies, Etc.

Lessons Learned - Continued

Reach Out to Peers for Brain-Storming Best Practices

Be Open to New Directives/InterpretationsContacting Patients to Determine “Harm”Employee Breach Attestation

Lessons Learned - Continued

MitigationPatient RequestsOrganizational Offerings

Bookmark/Print Examples from Published BreachesNoticesPress ReleasesWebsite CommunicationsExternal Resources (Credit Card Agencies)