Description
If and when protected health information is compromised at your organization, be ready to execute your own security breach response plan.Many covered entities and business associates who are required to comply with HIPAA as well as other federal and state law requirements protecting the privacy and security of patient information still misunderstand when an incident rises to the level of a Breach and what the required responses are. There also continues to be misunderstanding of how and when a breach occurs in certain contexts, who is responsible for it (i.e., the BA or CE?), who needs to be notified and with whom do the legal and contractual obligations rest. This topic helps the persons responsible for their organization’s compliance with HIPAA and other federal and state laws requiring a consistent evaluation of each Security Incident which might compromise Protected Health Information. The material also explains the specific requirements of calculating the 500 or more threshold number of affected individuals for purposes of reporting by a business associate (i.e., per covered entity) and by the covered entity, as well as for purposes of notifying the media (i.e., per jurisdiction). This topic will go into detail and provide you and your organization with a uniquely developed Breach Risk Assessment tool that allows consistent evaluation of HHS Four Factors that are critical to a final determination of whether a breach is reportable to HHS. This information is critical for organizations to hone their breach policies and procedures to prevent under reporting of breaches (which is a HIPAA violation) as well as to over reporting of breaches (i.e., reporting an incident when HIPAA does not legally require it to be reported), which can lead to an unnecessary HHSOCR investigation.
Date: 2019-08-28 Start Time: End Time:
Learning Objectives
Definitions of Key HIPAA Terms
• A Detailed Review of Key HIPAA Definitions Will Be Covered: Breach, Security Incident, Protected Health Information, De-Identified Data
• Discussion on How These Definitions Materially Affect Analysis of Whether or Not a Security Incident Rises to the Level of a Breach, and Whether Notification or Other Response Is Required
• Discussion of Why It Is Critical That Definitions of Such Terms Which Appear in HIPAA Business Associate Agreements Track HIPAA’s Definitions
HIPAA Breach Risk Assessment
• Do You Have a Breach of 500 or More Affected Individuals? Discussion of HHS’s Guidance on How to Calculate the Total Number of Individuals Affected by a Breach (i.e., per Covered Entity). Additional Discussion Regarding How to Calculate Number of Individuals Affected by State/Jurisdiction for Purposes of Media Notices
• Safe Harbors: Unintentional; Inadvertent; Not Reasonably Retained. Overview of the Statutory Carve-Outs Which Permit a Conclusion of No Breach
• Evaluating Low Probability PHI Compromised. Detailed Discussion of HHS’s Guidelines on How to Evaluate the Low Probability Threshold in a Consistent Matter. Overview of the Four Factors Critical to This Assessment, and How to Evaluate the Four Factors in a Consistent Manner. A Deep Dive Into:
• Nature and Extent of Data: Discussion of Minimal PHI? De-Identified Data? Limited Data Sets?
• Nature of Recipient/Unauthorized Individual: Discussion of Cooperative vs. Uncooperative Individuals
• Determining If PHI Was Acquired or Viewed: Discussion of Confirming No Access Through Forensics; HHS’s Discussion and Guidance Regarding Whether Deployed Ransomware Is a Breach
• Mitigation: Discussion of What Steps Need to Be Taken for Full Mitigation; Discussion of Sanitization of External Devices and Accounts That May Have Transmitted and/or Housed Breached PHI, and When Legal Intervention Might Be Appropriate (i.e., Discussion of Successful Interventions by Courts)
• Step-By-Step Work Through of Example Breach Cases Using Oscislawski LLC’s Low Probability Assessment Tool to Apply the Four Factor Test and Calculate a Low Probability Score, and Discussion of How to Use the Low Probability Score in Final Determination of Whether a Breach Is Reportable (i.e., Notices Required). (See Sample HIPAA Breach Risk Assessment Tool to Be Provided With Webinar)
Breach Response
• Discussion of What Are the Breach Notification Requirements and Other Obligations of a Business Associate
• Discussion of What Are the Breach Notification Requirements and Other Obligations of a Covered Entity, Including Detailed Drill Down on Notifications to HHS (Immediate vs. Annual); Notification to Individual (Incl. State Law Considerations); Notification of Media (What Is Required? and the 500 Individuals per/Jurisdiction Threshold)
Helen Oscislawski, Esq.-Attorneys at Oscislawski LLC
