Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation June 20, 2012 ID Experts Webinar www.idexpertscorp.com
Mahmood Sher-Jan VP of Product Management mahmood.sher-jan@idexpertscorp.com Sophia Collaros, JD, MA, CIPP/US Privacy Officer SCollaros@salud.unm.edu
Agenda Introduction to privacy incident management (PIM) tools- ID Experts RADAR UNM s ecosystem & privacy incident management model UNM s transition from manual / ad-hoc to automated incident management Key metrics and ROI of privacy incident management automation 3
The Compliance Challenge ANSI PHI Project Survey Findings 4
PHI/PII Incident Management Solutions Low-Tech and High-Tech Tools Ease of Use & Affordability RADAR TM Regulatory HIPAA/HITECH States Ethical Mission Org. Culture Solution Scope & Automation 5
Incident Management Lifecycle Best Practices Incident Capture: Software Prompted Input Breach Response: - Obligations - Due Dates - Compliance Documentation 6
RADAR TM HITECH Breach Notification Rule Compliance FairWarning Ready for Privacy and Compliance Reporting Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association 7
RADAR TM State Breach Notification Law(s) Compliance FairWarning Ready for Privacy and Compliance Reporting Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association 8
UNM Ecosystem and Privacy Incident Management Model Integrated Academic Health Center And Health Care Delivery System The Regents of the University of New Mexico accepts no liability for any use of this presentation or reliance placed on it, as it is making no representation or warranty, express or implied, as to the accuracy, reliability, or completeness of the presentation. 9
UNM Ecosystem Components University of New Mexico Health Sciences Center and UNM Health System Public Academic Health Center University of New Mexico Hospital UNM Children s Hospital UNM Adult Psychiatric Center UNM Children s Psychiatric Hospital UNM Carrie Tingley Hospital UNM Medical Group, Inc. (UNM MG) UNM Cancer Center (clinical operations) Clinical Operations UNM School of Medicine UNM MG Physician Offices UNM Dental Ambulatory Surgery Center 10
UNM Ecosystem Components UNM Sandoval Regional Medical Center, Inc. UNMSRMC outpatient facilities and clinics Clinical Operations/Activities of UNM College of Nursing Clinical Operations/Activities of UNM College of Pharmacy UNM and health system self-insured health plans Other health care components of UNM Hybrid Covered Entity Designation 11
Privacy Incident Management Model Initial Processes Workforce Member Education and Training Privacy Breach Notification Policy and Process Dissemination of Contact Information for Initial Reports Privacy Officer Report of Possible Breach email, phone call, privacy complaint (Begin entry of possible data breach incident information within RADAR) Privacy Office Request for Immediate Completion of Possible Breach Notification Form Who, What, When, Where 12
Privacy Incident Management Model Report of Possible Breach Internal Possible Breach Notification Form Contact Information Person Reporting Breach Circumstances of Breach Date Discovered Time period when breach occurred (to the best of your knowledge) Format of Information Breach Hard Copy/Paper/FAX; Images/Graph; Electronic/Computerized; Conversations; Phone Message 13
Privacy Incident Management Model Report of Possible Breach Internal Possible Breach Notification Form Specification Detail Health Sciences/Health System Owned or Personal Type and make of device Property tag number Describe What Happened (Sequence of events, contributing factors leading up to breach; examples) Type of Breach: theft, loss, improper disposal, unauthorized access, hacking/it incident, other, unknown 14
Privacy Incident Management Model Report of Possible Breach Location of breach information, i.e., CD/Disk/Flash Drive/USB other external memory Laptop, specify brand, tag number, etc. Desktop computer, brand, property tag #, location Network Server Phone, PDA, other mobile communication device Electronic health record Images, graphs, paper Conversations, phone messages Other/Specify 15
Privacy Incident Management Model Report of Possible Breach Was the information encrypted? Yes, no, don t know, not applicable Description of Breached Information Enumerated Personal Information Enumeration Health Information List includes information about disease or medical conditions, medications, treatment or procedures, test results, children, hereditary information, etc. 16
Privacy Incident Management Model Report of Possible Breach Safeguards in Place Prior to Breach Firewalls, physical security, intrusion software, secure browser sessions, strong authentication, logical access control, biometrics, packet filtering, encrypted wireless, anti-virus software 17
Privacy Incident Management Model Report of Possible Breach To the Best of Your Knowledge, How Many Individuals Identifiable Information Was Included in the Breached Information? Only one 500 or more Less than 10 Between 10 and 499 Don t Know If more than 500, best estimate of exact number of individuals affected 18
Privacy Incident Management Model Report of Possible Breach Has anything been done to recover the information or mitigate the breach so far? This breach has been reported to (checking all that apply, including date of report and contact information) University and other law enforcement entities Various IT departments Privacy Office Risk Management Compliance Other 19
Privacy Incident Management Model Report of Possible Breach Name of person completing breach report with specific contact and location information Privacy Office Tracking Date Report Received Privacy Office File Number Security Incident Report Number Current Status Risk Assessment; Root Cause; Mitigation 20
Risk of Harm Assessment and Documentation Use of SW Tool Burden on covered entity to document whether breach notification or not Use of Tool FINANCIAL, REPUTATION, OTHER HARM ROOT CAUSE MITIGATION 21
Risk of Harm Assessment and Documentation Metrics & Trends Use of RADAR additionally to document: Total Possible Breaches Addressed monthly, quarterly, annually Total Breaches Requiring Notice Total Affected Individuals Location of breach, i.e., unit, department, health care component Notices --- Secretary, Media, Web site, Substitute Notice, any other required notice 22
Risk of Harm Assessment and Documentation Metrics & Trends Assess Any Trends Workforce Member Health Care Areas, i.e., unit, department, workforce individuals Type of Media, missing, lost, stolen, unencrypted Electronic vs. Remote Electronic vs. Other Media Use of trending data to assess any necessary mitigation factors Workforce Member Health Care Areas, i.e., unit, department, workforce individuals Type of Media, missing, lost, stolen, unencrypted Electronic vs. Remote Electronic vs. Other Media 23
Risk of Harm Assessment and Documentation Use of SW Tool Was the protected health information (PHI) secured (encrypted or rendered unusable, unreadable, or indecipherable to unauthorized individuals? Did the use or disclosure violate the HIPAA Privacy Rule? Does the use or disclosure fall under one of the exceptions to the notification requirement? 24
Risk of Harm Assessment and Documentation Use of SW Tool Covered Entity has burden of demonstrating exception applies and must document why impermissible use or disclosure falls under one of the exceptions Use of Tool Workforce member inadvertent access to PHI Inadvertent disclosure from covered entity or BA similarly situated to or within another covered entity or BA Good faith belief unauthorized person to whom PHI disclosed would not reasonably have been able to retain information 25
Risk of Harm Assessment and Documentation Use of Tool Does the use or disclosure of PHI pose a significant risk of financial, reputational, or other harm to the individual? Use of Tool Type and amount of PHI involved Nature of PHI used or disclosed Steps taking to mitigate Satisfactory assurance Returned/destroyed 26
Reporting Assessments Use of Tool FINAL ASSESSMENTS Risk of Harm High, Medium, Low Applicable Policies and Procedures; laws related to sensitive information Transparency Other Assessments (State) Types of Required Reporting 27
The Solution: ID Experts RADAR Documentation of Breach Notification Analysis Incident Description Documentation of Risk Assessment Data Profile; Data Sensitivity Retention of Readily Retrievable Description of Privacy Breach Incident: Incident Notes Final Disposition of Incident Summary Assessment Available for Any Subsequent Inquiries or Required Reporting 28
Privacy Incident Management Summary of Things You Must Do Build an Incident Response Plan (IRP) & a Team Develop a process for incident risk assessment, documentation & reporting Train your workforce members on your procedures & processes for compliance 29
Resources ID Experts RADAR: http://www2.idexpertscorp.com/radar Privacy Incident Management Solution Guide: http://www2.idexpertscorp.com/breach-tools/radar/solution-guide/ ID Experts: http://www2.idexpertscorp.com OCR audit website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html 30
Questions & Answers Mahmood Sher-Jan ID Experts VP of Product Management mahmood.sher-jan@idexpertscorp.com Sophia Collaros, JD, MA, CIPP/US UNM Health Sciences Center Privacy Officer SCollaros@salud.unm.edu 971-242-4706 505-272-1493 31