Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

Similar documents
FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FCSRMC 2017 HIPAA PRESENTATION

Advanced HIPAA Communications and University Relations

DUTIES OF A CUSTODIAN

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

HCCA Institute Privacy Officer Round Table Discussion

Patient Privacy Requirements Beyond HIPAA

A Deep Dive into the Privacy Landscape

A self-assessment for GxP and HIPAA concerns

Overview of Privacy Legislation in Ontario

Chapter 9 Legal Aspects of Health Information Management

HIPAA Training

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Title: HIPAA PRIVACY ADMINISTRATIVE

HIPAA Notice of Privacy Practices

Compliance with Personal Health Information Protection Act

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Compliance Program Updated August 2017

MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

2018 Employee HIPAA Orientation (EHO) Handbook

The future of patient care. 6 ways workflow automation will transform the healthcare experience

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

Protecting Health Information: Health Data Security Training

Health Information Privacy Policies and Procedures

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

HIPAA Privacy & Security Training

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

Security Risk Analysis

HIPAA Education Program

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY BREACH GUIDELINES

Headline News: Anatomy of a VIP Records Breach

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

HIPAA Privacy & Security Training

MCCP Online Orientation

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

The Impact of New Technology in Health Care on Privacy

A general review of HIPAA standards and privacy practices 2016

HIPAA Privacy & Security

HIPAA Privacy Training for Non-Clinical Workforce

Information Privacy and Security

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

Understanding the Privacy and Security Regulations

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Our Terms of Use and other areas of our Sites provide guidelines ("Guidelines") and rules and regulations ("Rules") in connection with OUEBB.

The New Massachusetts Miracle:

HIMSS Security Survey

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Reporting a Privacy Breach to the Commissioner

PRIVACY AND ANTI-SPAM CODE FOR OUR ORGANIZATION

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Emergency Medical Services Division Policies Procedures Protocols

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Memorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL

Reporting and Investigating Privacy Breaches and Complaints Approval: Original Signed by R. Cloutier. Date: September 2017

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms.

Privacy and Security For Teammates

Peek-A-Boo: EHR Access and Compliance

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Notice of Privacy Practices

CHI Mercy Health. Definitions

Community Mental Health Center 2010 Annual Compliance Plan

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

HIPAA and HITECH: Privacy and Security of Protected Health Information

IVAN FRANKO HOME Пансіон Ім. Івана Франка

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

HIPAA THE PRIVACY RULE

THE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH

Status Check On Health IT

The HIPAA privacy rule and long-term care : a quick guide for researchers

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

HIPAA/HITECH Act Enforcement:

Colorado Choice Health Plans

Technology Standards of Practice

Draft Code of Practice FOR PUBLIC CONSULTATION

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

CLINICIAN S GUIDE TO HIPAA PRIVACY

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Stanford University Privacy Guidelines Fundraising

HIPAA Breach Policy & Procedures Handbook

OREGON HIPAA NOTICE FORM

PATIENT INFORMATION. In Case of Emergency Notification

Safeguarding Healthcare Information. By:

1303A West Campus Drive

The Privacy & Security of Protected Health Information

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

HIPAA PRIVACY TRAINING

Transcription:

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation June 20, 2012 ID Experts Webinar www.idexpertscorp.com

Mahmood Sher-Jan VP of Product Management mahmood.sher-jan@idexpertscorp.com Sophia Collaros, JD, MA, CIPP/US Privacy Officer SCollaros@salud.unm.edu

Agenda Introduction to privacy incident management (PIM) tools- ID Experts RADAR UNM s ecosystem & privacy incident management model UNM s transition from manual / ad-hoc to automated incident management Key metrics and ROI of privacy incident management automation 3

The Compliance Challenge ANSI PHI Project Survey Findings 4

PHI/PII Incident Management Solutions Low-Tech and High-Tech Tools Ease of Use & Affordability RADAR TM Regulatory HIPAA/HITECH States Ethical Mission Org. Culture Solution Scope & Automation 5

Incident Management Lifecycle Best Practices Incident Capture: Software Prompted Input Breach Response: - Obligations - Due Dates - Compliance Documentation 6

RADAR TM HITECH Breach Notification Rule Compliance FairWarning Ready for Privacy and Compliance Reporting Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association 7

RADAR TM State Breach Notification Law(s) Compliance FairWarning Ready for Privacy and Compliance Reporting Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association 8

UNM Ecosystem and Privacy Incident Management Model Integrated Academic Health Center And Health Care Delivery System The Regents of the University of New Mexico accepts no liability for any use of this presentation or reliance placed on it, as it is making no representation or warranty, express or implied, as to the accuracy, reliability, or completeness of the presentation. 9

UNM Ecosystem Components University of New Mexico Health Sciences Center and UNM Health System Public Academic Health Center University of New Mexico Hospital UNM Children s Hospital UNM Adult Psychiatric Center UNM Children s Psychiatric Hospital UNM Carrie Tingley Hospital UNM Medical Group, Inc. (UNM MG) UNM Cancer Center (clinical operations) Clinical Operations UNM School of Medicine UNM MG Physician Offices UNM Dental Ambulatory Surgery Center 10

UNM Ecosystem Components UNM Sandoval Regional Medical Center, Inc. UNMSRMC outpatient facilities and clinics Clinical Operations/Activities of UNM College of Nursing Clinical Operations/Activities of UNM College of Pharmacy UNM and health system self-insured health plans Other health care components of UNM Hybrid Covered Entity Designation 11

Privacy Incident Management Model Initial Processes Workforce Member Education and Training Privacy Breach Notification Policy and Process Dissemination of Contact Information for Initial Reports Privacy Officer Report of Possible Breach email, phone call, privacy complaint (Begin entry of possible data breach incident information within RADAR) Privacy Office Request for Immediate Completion of Possible Breach Notification Form Who, What, When, Where 12

Privacy Incident Management Model Report of Possible Breach Internal Possible Breach Notification Form Contact Information Person Reporting Breach Circumstances of Breach Date Discovered Time period when breach occurred (to the best of your knowledge) Format of Information Breach Hard Copy/Paper/FAX; Images/Graph; Electronic/Computerized; Conversations; Phone Message 13

Privacy Incident Management Model Report of Possible Breach Internal Possible Breach Notification Form Specification Detail Health Sciences/Health System Owned or Personal Type and make of device Property tag number Describe What Happened (Sequence of events, contributing factors leading up to breach; examples) Type of Breach: theft, loss, improper disposal, unauthorized access, hacking/it incident, other, unknown 14

Privacy Incident Management Model Report of Possible Breach Location of breach information, i.e., CD/Disk/Flash Drive/USB other external memory Laptop, specify brand, tag number, etc. Desktop computer, brand, property tag #, location Network Server Phone, PDA, other mobile communication device Electronic health record Images, graphs, paper Conversations, phone messages Other/Specify 15

Privacy Incident Management Model Report of Possible Breach Was the information encrypted? Yes, no, don t know, not applicable Description of Breached Information Enumerated Personal Information Enumeration Health Information List includes information about disease or medical conditions, medications, treatment or procedures, test results, children, hereditary information, etc. 16

Privacy Incident Management Model Report of Possible Breach Safeguards in Place Prior to Breach Firewalls, physical security, intrusion software, secure browser sessions, strong authentication, logical access control, biometrics, packet filtering, encrypted wireless, anti-virus software 17

Privacy Incident Management Model Report of Possible Breach To the Best of Your Knowledge, How Many Individuals Identifiable Information Was Included in the Breached Information? Only one 500 or more Less than 10 Between 10 and 499 Don t Know If more than 500, best estimate of exact number of individuals affected 18

Privacy Incident Management Model Report of Possible Breach Has anything been done to recover the information or mitigate the breach so far? This breach has been reported to (checking all that apply, including date of report and contact information) University and other law enforcement entities Various IT departments Privacy Office Risk Management Compliance Other 19

Privacy Incident Management Model Report of Possible Breach Name of person completing breach report with specific contact and location information Privacy Office Tracking Date Report Received Privacy Office File Number Security Incident Report Number Current Status Risk Assessment; Root Cause; Mitigation 20

Risk of Harm Assessment and Documentation Use of SW Tool Burden on covered entity to document whether breach notification or not Use of Tool FINANCIAL, REPUTATION, OTHER HARM ROOT CAUSE MITIGATION 21

Risk of Harm Assessment and Documentation Metrics & Trends Use of RADAR additionally to document: Total Possible Breaches Addressed monthly, quarterly, annually Total Breaches Requiring Notice Total Affected Individuals Location of breach, i.e., unit, department, health care component Notices --- Secretary, Media, Web site, Substitute Notice, any other required notice 22

Risk of Harm Assessment and Documentation Metrics & Trends Assess Any Trends Workforce Member Health Care Areas, i.e., unit, department, workforce individuals Type of Media, missing, lost, stolen, unencrypted Electronic vs. Remote Electronic vs. Other Media Use of trending data to assess any necessary mitigation factors Workforce Member Health Care Areas, i.e., unit, department, workforce individuals Type of Media, missing, lost, stolen, unencrypted Electronic vs. Remote Electronic vs. Other Media 23

Risk of Harm Assessment and Documentation Use of SW Tool Was the protected health information (PHI) secured (encrypted or rendered unusable, unreadable, or indecipherable to unauthorized individuals? Did the use or disclosure violate the HIPAA Privacy Rule? Does the use or disclosure fall under one of the exceptions to the notification requirement? 24

Risk of Harm Assessment and Documentation Use of SW Tool Covered Entity has burden of demonstrating exception applies and must document why impermissible use or disclosure falls under one of the exceptions Use of Tool Workforce member inadvertent access to PHI Inadvertent disclosure from covered entity or BA similarly situated to or within another covered entity or BA Good faith belief unauthorized person to whom PHI disclosed would not reasonably have been able to retain information 25

Risk of Harm Assessment and Documentation Use of Tool Does the use or disclosure of PHI pose a significant risk of financial, reputational, or other harm to the individual? Use of Tool Type and amount of PHI involved Nature of PHI used or disclosed Steps taking to mitigate Satisfactory assurance Returned/destroyed 26

Reporting Assessments Use of Tool FINAL ASSESSMENTS Risk of Harm High, Medium, Low Applicable Policies and Procedures; laws related to sensitive information Transparency Other Assessments (State) Types of Required Reporting 27

The Solution: ID Experts RADAR Documentation of Breach Notification Analysis Incident Description Documentation of Risk Assessment Data Profile; Data Sensitivity Retention of Readily Retrievable Description of Privacy Breach Incident: Incident Notes Final Disposition of Incident Summary Assessment Available for Any Subsequent Inquiries or Required Reporting 28

Privacy Incident Management Summary of Things You Must Do Build an Incident Response Plan (IRP) & a Team Develop a process for incident risk assessment, documentation & reporting Train your workforce members on your procedures & processes for compliance 29

Resources ID Experts RADAR: http://www2.idexpertscorp.com/radar Privacy Incident Management Solution Guide: http://www2.idexpertscorp.com/breach-tools/radar/solution-guide/ ID Experts: http://www2.idexpertscorp.com OCR audit website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html 30

Questions & Answers Mahmood Sher-Jan ID Experts VP of Product Management mahmood.sher-jan@idexpertscorp.com Sophia Collaros, JD, MA, CIPP/US UNM Health Sciences Center Privacy Officer SCollaros@salud.unm.edu 971-242-4706 505-272-1493 31

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback