• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
HIPAA – Where’s the Harm? Final Rule Update
 

HIPAA – Where’s the Harm? Final Rule Update

on

  • 781 views

 

Statistics

Views

Total Views
781
Views on SlideShare
781
Embed Views
0

Actions

Likes
1
Downloads
50
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    HIPAA – Where’s the Harm? Final Rule Update HIPAA – Where’s the Harm? Final Rule Update Presentation Transcript

    • HIPAA – Where’s the Harm?Final Rule UpdateFebruary 6, 2013
    • Introductions: Today’s Speaker• Mark Rasch, Esq.- Director, Privacy and Security Consulting, CSC • Mrasch2@csc.com, 301-547-6925• Gant Redmon, General Counsel, Co3 Systems • gredmon@co3sys.com, 617-300-8136 Page 2
    • Agenda• Introduction• Where’s the Harm• Risk Assessment• New Challenges• Breach Rules Page 3
    • Timeline• HIPAA – August 21, 1996• HITECH – February 17, 2009• Proposed Rules – August 24, 2009 (Breach Notification)• Final Rule – January 17, 2013 (2.5 years in the making) Page 4
    • Harm and Risk Assessment• The Final Rule eliminates the "harm threshold" provision, which allowed covered entities and business associates to avoid breach notification if they determined themselves a breach would not cause harm to an individual. HHS now calls for covered entities and BAs to assess the probability that the PHI has been compromised instead of assessing the risk of harm to the individual. • an impermissible use or disclosure of PHI is "presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." • Replaces the "significant risk of harm" standard set forth in the Interim Final Rule. HHS notes that the prior focus on "harm to an individual" was too subjective, risking inconsistent interpretations and results across covered entities and business associates. • Requires a post-breach assessment of probability that PHI has been compromised in for form of a risk assessment. Page 5
    • Harm and Risk AssessmentBreach• New rule removes the “harm standard” and modifies the risk assessment to focus on the risk that the protected health information has been compromised.• Breach notification is not required under the final rule it is demonstrated • through a risk assessment • that there is a low probability that the protected health information has been compromised, • rather than demonstrate that there is no significant risk of harm to the individual.• Objective factors covered entities and business associates must consider and documented when performing a risk assessment to determine if the protected health information has been compromised and breach notification. Page 6
    • Harm and Risk AssessmentRisk Assessment in the Event of Breach – Factors• After possible breach, must conduct a risk assessment that considers at least the following factors: 1. the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. the unauthorized person who used the protected health information or to whom the disclosure was made; 3. whether the protected health information was actually acquired or viewed; and 4. the extent to which the risk to the protected health information has been mitigated.• Must provide documentation of the assessment and validation of conclusions• Burden of proof is on covered entity or business associate• May make a NOTIFICATION without conducting the assessment Page 7
    • Harm and Risk AssessmentFactor 1: Nature and Extent of PHI• Consider types of identifiers and the likelihood of re-identification of the information.• Is the information of a more sensitive nature? • financial information (credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud. • Clinical information • the nature of the services or other information • the amount of detailed clinical information involved (e.g., treatment plan, diagnosis, medication, medical history information, test results).• Probability that the protected health information could be used by an unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests. Page 8
    • Harm and Risk AssessmentFactor 2: To Whom Was Information Improperly Disclosed?• Does the unauthorized person who received the information has obligations to protect the privacy and security of the information?• If protected health information is impermissibly disclosed to another entity obligated to abide by the HIPAA Privacy and Security Rules or to a Federal agency obligated to comply with the Privacy Act of 1974 and the Federal Information Security Management Act may not have to make disclosure.• How do I validate the identity and authorization of the person to whom data was disclosed? How do I document this process?• Does the unauthorized person have the ability to re-identify de-identified information or data sets?• Remember, “breach” includes BOTH unauthorized access or unauthorized use. Page 9
    • Harm and Risk AssessmentFactor 3: Whether the protected health information was actually acquired orviewed• Must determine if the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. • Example 1: Laptop computer is stolen and later recovered and a forensic analysis shows that the protected health information on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed. Page 10
    • Harm and Risk Assessment • Example 2: Covered entity mails information to the wrong individual who opens the envelope and calls the entity to say that she received the information in error. The unauthorized recipient viewed and acquired the information because she opened and read the information to the extent that she recognized it was mailed to her in error. • Example 3. Covered entity mails information to a patient’s old address, faxes information to the wrong number, leaves a voice message at the wrong number reminding a patient of an upcoming appointment, or, in situations where patients have identical or similar names, contacting the wrong patient to inform him or her that lab results were ready. Investigation required. Page 11
    • Harm and Risk AssessmentFactor 4: The extent to which the risk to the protected health information hasbeen mitigated.• Consider the extent to which the risk to the protected health information has been mitigated. • obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, (how is it destroyed, by whom, and who validates?_ • consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.• Do you trust the assurances? • Employee? Affiliate? Independent third party? • The recipient of the information will have an impact on whether the covered entity can conclude that an impermissible use or disclosure has been appropriately mitigated Page 12
    • Harm and Risk AssessmentStatutory Exceptions• Sometimes the unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification. • if a covered entity misdirects a fax containing protected health information to the wrong physician practice, and upon receipt, the receiving physician calls the covered entity to say he has received the fax in error and has destroyed it, the covered entity may be able to demonstrate after performing a risk assessment that there is a low risk that the protected health information has been compromised.• BUT – the rule requires that this still be assessed against standards Page 13
    • Harm and Risk Assessment• HIPAA/HITECH also require covered entities (and now possibly business associates) to provide notice of privacy practices.• These may have to now include notice of breach notification policies and practices. (What we will do in the event of a breach)• Turtles all the way down… who notifies the patient/data subject? Who notifies HHS?• The notice is a contract with the patient and can create greater obligations than the law provides. Page 14
    • Harm and Risk AssessmentRisk Assessment in the UK• Also uses the term “risk assessment” and asks: • What type of data is involved? (1) • How sensitive is it? Remember that some data is sensitive because of its very personal nature (health records) while other data types are sensitive because of what might happen if it is misused (bank account details) Health information is sensitive personal information. (1) • If data has been lost or stolen, are there any protections in place such as encryption? (3) • What has happened to the data? If data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk (2) NOTE: UK Standard still talks about “harm.” Page 15
    • Harm and Risk AssessmentCont’d• What could the data tell a third party about the individual? Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people. (Matrix theory) (1&2)• How many individuals’ personal data are affected by the breach? It is not necessarily the case that the bigger risks will accrue from the loss of large amounts of data but is certainly an important determining factor in the overall risk assessment (spearphishing, trolling, whalephishing)(1)• Who are the individuals whose data has been breached? Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks (1) Page 16
    • Harm and Risk AssessmentCont’d• What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life? (4)• Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide? (4) Page 17
    • POLL
    • New ChallengesBreach Presumed• An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.• Covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach (such as by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised) and must maintain documentation sufficient to meet that burden of proof. Page 19
    • New ChallengesLimited Data Set Changes• Prior rule – if limited data set breached, no notification required.• New rule - Removed the exception for limited data sets that do not contain any dates of birth and zip codes.• NOW • following the impermissible use or disclosure of any limited data set, a covered entity or business associate must perform a risk assessment that evaluates the factors discussed to determine if breach notification is not required. • Presumably the fact that it is a limited data set goes to the issue of nature and extent of PHI breached Page 20
    • New ChallengesEncryption is your friend…• If protected health information is appropriately encrypted then no breach notification is required following an impermissible use or disclosure of the information.• BUT NOTE: Since the new rule applies to both improper disclosure and improper USE, an improper USE of information that is encrypted at one time may constitute a breach. An authorized person using PHI for an improper purpose is now a breach.• Rule refers specifically to Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742).• Another caveat – the regulation does not exempt unencrypted data that may be difficult or even impossible to recreate because of time, expense, special equipment needed, special software needed, etc. “unsecured protected health information” as “protected health information” that is not secured through the use of a technology or methodology specified by the Secretary in guidance…” Page 21
    • POLL
    • Breach RulesWhen is a breach “discovered?”• Section 164.404(a)(2) Breach shall be treated as discovered by a covered entity • on the first day the breach is known to the covered entity, • or by exercising reasonable diligence would have been known to the covered entity. • “reasonable diligence” defined to mean the “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.” Page 23
    • Breach RulesWhen is a breach “discovered?”• Do you “know” what any employee knows?• Do you “know” what any agent or subcontractor knows? (common law of agency)• Rule is when the ENTITY knows, NOT when management knows. Thus, having incident response, incident identification and escalation is critical. • “We encourage covered entities and business associates to ensure their workforce members and other agents are adequately trained on the importance of prompt reporting of privacy and security incidents.” Page 24
    • Breach RulesData Breach and “Minimum Necessary”• Privacy Rule’s “minimum necessary” standard requires a covered entity to make reasonable efforts to limit access to protected health information to those persons or classes of persons who need access to protected health information to carry out their duties and to disclose an amount of protected health information reasonably necessary to achieve the purpose of a disclosure.• Same standard on business associates and subcontractors• Failure to make such efforts, or failure to enforce such efforts then result in an “unauthorized use” of information even though an authorized person has access to records. If person has access to TOO MUCH information (more than they reasonably need) this is a DATA BREACH under the new rules.• Risk Assessment is then REQUIRED, and breach notification may be required. Page 25
    • Special Offer – Breach Readiness WorkshopAttendees of today’s webinar quality for a free BreachReadiness Workshop: Based on a custom breach scenario which you define • You define the regulators, data types and quantity, etc. Managed by a Certified Information Privacy Professional (CIPP) Eligible for CPE credit To sign up: http://data-security.co3sys.com/co3_csc-hipaa/ Page 26
    • QUESTIONS
    • “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICEOne Alewife Center, Suite 450 “Co3…defines what software packagesCambridge, MA 02140 for privacy look like.”PHONE 617.206.3900 GARTNERWWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTEMark Rasch, Esq.Director, Privacy and Security ConsultingCSCEmail: Mrasch2@csc.comPhone: 301-547-6925