1 / 18

HITECH Breach Notification

HITECH Breach Notification. Betsy Hall, MPH, CHC Compliance Officer & Privacy Officer betsy.hall@jhsmh.org 560-8404 or 544-6434. HITECH Changes to HIPAA. HIPAA Privacy and Security regulations have become more stringent under President Obama’s American Recovery & Reinvestment Act (ARRA)

karleigh-williams
Download Presentation

HITECH Breach Notification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HITECH Breach Notification Betsy Hall, MPH, CHC Compliance Officer & Privacy Officer betsy.hall@jhsmh.org 560-8404 or 544-6434

  2. HITECH Changes to HIPAA • HIPAA Privacy and Securityregulations have becomemore stringent underPresident Obama’sAmerican Recovery &Reinvestment Act (ARRA) • Effective Feb. 17, 2010 • HIPAA policiesand procedures must be changed • Re-education of team members, volunteers and physicians is necessary

  3. Immediate Changes • Breach notification requirement • Increased monetary and criminal penalties • Changes in enforcement oversight • Changes to Business Associate Relationships

  4. Breach Notification • Under ARRA, Covered Entities must notify patients within 60 days if their unsecured patient information was acquired, accessed, used or disclosed inappropriately. • The notice must describe what happened and what the organization is doing to investigate the breach, how similar breaches will be prevented in the future, steps individualscan take to protect themselves,and contact information. • Breach investigations andnotification are typicallyhandled by Compliance.

  5. Breach Notification • Breaches involving 500 or more patients will require notification of the U.S. Department of Health and Human Services for posting on its web site and the media. • Notification must becoordinated by Compliance, Legaland Public Relations.

  6. Required Elements of Notice • The notice (letter, Web posting, ad in news media) must contain at least the following elements, in plain language: • A brief description of what happened, including the date of breach and the date of discovery of the breach; • A description of the types of unsecured PHI involved in the breach (i.e., whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved);

  7. Required Elements of Notice cont. • Any steps that individuals should take to protect themselves from potential harm resulting from the breach; • A brief description of what the organization is doing to investigate the breach, to mitigate the harm to individuals and to protect against any further breaches; and • Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, Web site, or postal address. 

  8. Penalties Disciplinary action up to and including termination from the Covered Entity. Potential lawsuits against individuals and/or organizations by patients whose information has been breached. Government investigations by the state Attorney General Office, state Office of Inspector General, and U.S. Department of Health and Human Services Office for Civil Rights, among others. Costly mitigation and remediation. Public reporting and negativepublicity for the organization.

  9. Monetary Penalties

  10. Breaches Over 500 • 130 reported nationwide to OCR as of Aug. 17 • Loss, theft, unauthorized access, hacking, improper disposal, misdirected email • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

  11. Breaches Over 500 • 5 cases in KY • Kentucky Employers’ Health Plan, 676 patients, misdirected email • UofL Research Foundation, 708 patients, hacking • Jewish Hospital, 2,089 patients, theft of laptops • Medical Center at Bowling Green, 5,418 patients, theft of portable electronic device • Our Lady of Peace, 24,600 patients,loss/theft of portable electronic device

  12. Possible Breaches • Accessing a patient’s medical record out of curiosity • Faxing or mailing a patient’s medical record to the wrong location • Leaving patient informationon the answering machineof the wrong individual • Disposing patient information in the trash (face sheets, medical records, IV and pharmacy labels) • Losing a flash drive or CD that contains patient info • Disclosing PHI on Facebook, MySpace, Twitter or other social networking

  13. Recent Breaches Connecticut Attorney General Sues Health Net for security breach involving medical records on 446,000 Enrollees The Connecticut Attorney General also got a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted.

  14. Recent Breaches Blue Cross Blue Shield of Tennessee suffered the loss of multiple storage devices and incurred$7 million in expenses for remediation.After losing 57 hard drives due to theft, BCBS of TN incurred expenses of $7 million to address security issues.  Potential issues may include non compliance with physical security, encryption and the tracking of PHI on 'portable' devices.        

  15. Recent Breaches • CVS pharmacy paid $2.25 million and Rite Aid pharmacy paid $1 million to settle HIPAA Privacy cases for failing to appropriately dispose of protected health information (PHI) on labels from prescription bottles and old prescriptions.   

  16. Recent Breaches Lexington Herald-Leader (KY) May 16, 2009 Page: A1 Facilities asked to limit cell phone use Nursing home under fire after abuse citation

  17. Tips for Handling a Breach • Collaborate with Legal, Security and Management on Investigation • Collaborate with Public Relations • Data Logistics • Mailing Logistics • Reporting Logistics • Internal Communications • External Communications • Establishing your own toll-free number vs. a call center • Expect the Unexpected • Expect an audit from OCR, OIG, FTC, AG, or Joint Commission

  18. QUESTIONS? Contact: Compliance Officer Betsy Hall, MPH, CHC, 560-8404 Associate Compliance Officer Susan Stine, RHIT, CHP, CCS, CCS-P, 587-4044 Compliance Coordinator Bev Norton, 560-8392

More Related