Embed Size (px)
Citation preview
4/27/2015
1
Privacy CSI: Fundamentals of Conducting and Documenting a
Privacy Investigation
Ted Bliman, JD, MPH, CHCElizabeth Brown, JD, MPH, CHPC
April 22, 2015
1
Discussion Objectives
• Goals of a privacy investigation
• Development and implementation of an Incident Response Plan (IRP)
• Aspects of a privacy incident
• Investigation tools and techniques
• Examples walkthrough
2
4/27/2015
2
How to Start: Think About End Goals
● Ability to respond to a patient complaint● Supporting the Human Resources process● Mitigating organizational risk
o Limit organizational exposure from the incidento Reduce potential for future incidents
● Breach Notification Rule standards (and applicable state law requirements)o Writing a notification letter
● Defense of an OCR inquiry or lawsuit
3
Breach Notification Rule
● An impermissible use or disclosure of PHI that compromises the security or privacy of the PHI.
● All incidents are presumed to be a breach unless you are able to prove otherwise using a 4 factor test.
1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI/to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed; and4. The extent to which the risk to the PHI has been mitigated
● Keep the factors in mind as you conduct your investigation.
Who has the information? Why do they have it? How can the harm be mitigated?
4
4/27/2015
3
OCR Investigations/Inquiries
● OCR is looking to see that you have:o Conducted a thoughtful and thorough investigationo Appropriate policies and educationo Sufficient technical and administrative safeguardso A comprehensive privacy program
● If the incident may result in an OCR inquiry, use the investigation as your first attempt at gathering your documentation.o Identify gaps during the investigation and begin
remediation efforts as necessaryo Documentation is key
5
Investigation PlaybookThe Incident Response Plan (IRP)
6
4/27/2015
4
Developing an IRP - Why Do It?
• Provides the roadmap to your investigation• Reduces stress in the moment - a big issue is not the
time to “play it by ear”• Ensures all involved in an investigation are on the same
page and have clearly defined roles• Establishes an Incident Response Team and puts those
involved on alert regarding their role• Inspires collaborative conversations across the
organization.• Allows for self-reflection and modification of anticipated
response as a “wrap-up” of the incident
7
IRP - Planning Phases
● Assess your current workflowo What works and what could be improved?
● Include key partners in the processo Quality/Risk Management (and Patient Advocate)o Human Resourceso IT/Information Securityo Health Information Managemento Marketingo Office of General Counselo Senior Leadershipo Medical Staff Office
● IRP is a living document - later edits are ok
8
4/27/2015
5
IRP - A Roadmap for Success
● Reportingo Patient complaintso Incident Reportso Direct reporto Referral from Information Security/IT
● Triageo Response may be dictated by the level of risko Validate facts - discussion with reporter or review of
evidenceo Refer non-privacy issues appropriatelyo Should the issue be put under privileged?
9
IRP - A Roadmap for Success
● Investigationo Response is dictated by incident’s level of risk and scopeo Involve key personnel as needed in investigation planning
Consult with HR, VPMA, Media Relations, SLT etc. Be clear on notification vs. involvement Come with a plan Should counsel be in the loop? Activate Incident Response Team to act as a sounding board
and keep things moving Be clear on who “owns” the issue or portions of the investigation
o Gather and review applicable policies, procedures and processeso Leverage internal resourceso Conduct informational interviews and gather factso Interview the individual involved in the issue (with HR as appropriate)o Determine if the issue is reportable
State law issues, accrediting bodies, licensing agencies OCR
10
4/27/2015
6
IRP - A Roadmap for Success
● Notificationo Consider credit monitoring as a mediation effort
o Smaller or More Routine Issues:
Who drafts the letter(s)?
Who sends the letter(s)?
Who responds to patient calls?
Plan for annual reporting - create a draft notification contemporaneously with the issue
o Larger Issues:
A vendor is an option
Prepare ahead of time for patient calls
Monitoring for undeliverable mail
Addressing state law variations
How to handle the media vs. media notice11
IRP - A Roadmap for Success
● Remediationo Review policies gathered as part of investigation
o Identify areas to target for improvement
o Collaborate with partner departments
● Human Resourceso Ties into the investigation/interview process
o Ensure that discipline is finalized and document
● Issue Debriefo Review issue internally and with other departments
o Identify areas for improvement
o Use time to prep for OCR (if you believe OCR may become involved)12
4/27/2015
7
IRP In Practice -
● Patient complaint that he received another patient’s discharge paperwork.
● An unencrypted personal device is stolen from a physician’s car while she was at the gym.
13
IRP - Considerations
● No one size fits all approach
● An IRP at a small physician practice will look very different than a large healthcare delivery system
● Documentation is key throughout the processo Interviews
o Evidence
o Processes
● Information gathered through the course of an investigation is key to preparing for an OCR inquiry
14
4/27/2015
8
IRP Considerations - Resources
● Understand your capabilities and limitations before an incident occurs
● Know your:o IT infrastructure, capabilities and key points of
contacto Legal counsel vs. outside counsel and their roleo Internal compliance/privacy support and toolso How other portions of the investigation work and
how you can leverage that process (HR/Risk etc.)o Breach insurer’s coverageo Your own limitations - when to ask for help
15
The InvestigationBuilding Your Case File - Core Elements
16
4/27/2015
9
Planning
● What, who, why, when, how & whereo Leave no stone unturnedo Understand the full layout of the incidento Analysis → Strategyo Make sure this is an actual privacy incident
● Formal fact gathering:o Investigative interview/interrogationo Forensics/physical evidenceo Processes, policies, and other documents
● Documentation/file creation
17
What kind of evidence to handle?
● Paper Records/Documents
● EMR Access Reports
● Computers (hardware and software), portable drives & discs, emails
● Social Media
● Fax machines
● Garbage bins, Dumpsters & Shred Bins
● “Missing” Things?
18
4/27/2015
10
To whom should we speak, and what about?
● Person or people at the center of the potential violation ‐ the “subject(s)”.
● Patients/Representatives/Patient Advocate ‐ the “victim”?
● Witnesses – people who may have seen/heard or reported the incident. Enhance the details of an event.
● Managers – regarding department processes, and roles and background of the employee(s)
● Investigation partners – IT, HR (union), Risk Management, Legal
● Vendors ‐ Processes, Products, IT standards
19
Why do things go wrong?
● Harm● Curiosity/Gossip● Family● Neglect/Accidental● Folly● A bad process● Something breaks down (IT, process etc.)
20
4/27/2015
11
Where do things go wrong?
● Office space
● Clinical space
● Lobby
● Cyberspace
● Grounds
● Conference Rooms
● Staff break rooms
● Volunteer/Clergy areas
21
22
4/27/2015
12
Fact Gathering: Talking with People
23
Interviews and Interrogations
● Non-accusatory● Fact Seeking● Conversational
24
● Guilt is suspected● Accusatory● Confession seeking
● Approach will depend on the incident type/details○ Inves ga ve interviews → Interroga ons○ Expect full “interrogation” to be rare
● Legal/Ethical considerations ● Able to adjust different types of violations/scenarios● Behavioral analysis required; assess subject’s reactions● Maintain fluidity, command throughout● Preparation key
4/27/2015
13
Interview basics
●Witnesses
○ Warnings and representations
○ Allow them to tell story from beginning
○ Looking for basic event details
○ Avoid “leading questions”
○ Independent source to corroborate the incident
○ Who’s also in the room – avoid 1‐on‐1 situation
● Subject matter experts
○ Do they know their business?
● Can an interview become an interrogation? 25
Interrogation basics
• Process Elements o Rapport
o Signs of Deception
o Overcoming Resistance
o Submission
o Admission & Confession
• Selected Techniqueso Introductory Statement
o Participatory Accusation
o Direct Accusation
o Multiple subjects under investigation
26
4/27/2015
14
27
Other Considerations
• Advantages:
✓Stress
✓Fear of forensics (evidence already obtained)
✓Fear of consequences
✓Isolation (despite union representation)
• Challenges:
✓Stranger, time
✓Personal knowledge of the people
✓Getting through the emotional responses
28
4/27/2015
15
Documentation
● An interview is only as good as the record● Obtain formal processes/procedures when
possible● Take good notes● Have people confirm your summary via email ‐
your words become their words● Contemporaneous documentation is always
better than after the fact
29
Investigation Case StudiesYour tools in practice
30
4/27/2015
16
AccessA patient employee complains that her co‐worker knows about her ED visit from last week. What should you do?
Your tools:o Access Audits ‐
• Provides evidence, but be sure to review closely with management
• Be specific in your request to IT, don’t ask for more than you need• Understand what IT can provide and how you can use it• Can be used as evidence in an interview• Not definitive ‐ people can share credentials/word of mouth disclosures
o Interviews ‐• Complainant (understand who should talk to her)• The manager ‐ what should the employee have accessed?• The “suspect” ‐ bring your evidence
31
Use and Disclosure
A patient complained that a staff member provided sensitive information about her care to her mother without her authorization.
Your Tools:● Tools are generally limited in verbal issues● Interviews are key● Understand all elements of the patient complaint before approaching
the employee● Use the element of surprise in the interview● Is there any documentation in the record?● Issue may end up being “unsubstantiated”, but need to evaluate the risk
of compromise
32
4/27/2015
17
Paper
You receive an anonymous inter‐office envelope containing parts of a paper medical record, including a note that the material was found scattered on the ground in the employee parking area.
Your Tools:
● Work closely with HIM ‐ narrow down possible sources, other facts
● Other evidence in the found pages? Just the record or other things?
● Canvass the grounds well to find additional pages.
● Use of interviews to validate ownership/purpose for removal
33
IT
You get a call from the manager of your faxing database. A vendor IT systems error has caused 50 e‐faxes to be sent to the incorrect recipients.
Your Tools:
● Information Security or a trusted IT person
o Can help you understand the IT infrastructure
● The vendor
o Involve the contract owner and IT in conversations
o How does the faxing work and what went wrong
o Understand where the faxes went and whether they were secure
o Formal report
● Internal resources
o Quality and Risk Management ‐ patient care issues
o Reach out to recipients to confirm destruction and evaluate risk
34
4/27/2015
18
Hardware
You receive a report that a laptop has gone missing from an administrative area.Your tools:
• “Toss the place!” Security camera footage available? Keypad/Locked areas?
• Validate encryption status ASAP ‐ provides breathing room
• How soon to pull off the network ‐ defer/confer with IT Security
• Extensive interviews to determine likelihood of theft, loss or destruction.
• Forensics if found – proof of no access?
• How safe is a “safeguard”?
• Data recreation
– Data Loss Prevention (DLP)
– Employee input
35
Social Media/Cloud
A colleague shows you a picture that one of your practice’s physician’s posted to Facebook that includes an object taken out of a patient and a vague comment.
• Need to understand:
– What was posted ‐ is the information actually “identifiable” ‐ look at how the poster identifies him/herself
– Comments ‐ can reinforce initial disclosure or be new disclosures
Use management to understand who is who
Use the source if they are “friends” with the employee
– How long was the post available for and who had access to view it ‐ some can be gleaned from posting, but other things such as settings need an interview
– What to do once post is removed??
– Screen shots are key
• Other tools/angles?
36
4/27/2015
19
Questions
What challenges have you encountered and how were they overcome?
37
ReferencesLeo, R. & Skolnick, J. (1992). The Ethics of Deceptive Interrogation. Criminal Justice Ethics, Winter/Spring (5-7).
Reid, J.E. and Associates (2001, June). Monthly Investigator Tips. http://www.reid.com/educational_info/r_education.html
Shuy, R. (1998). The Language of Confession, Interrogation and Deception. Thousand Oaks, CA: Sage.
Vrij, A. (2000). Detecting Lies And Deceit: The Psychology of Lying and the Implications for Professional Practice. West Sussex, UK: John Wiley & Sons.
Wicklander, D. & Zulawski, D. (1993). Practical Aspects of Interview and Interrogation. Boca Raton, FL:CRC Press.http://www.w-z.com/
38
