Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
TERRI L. BARRETT, PHD, CIPM WV EXECUTIVE BRANCH
DEPUTY CHIEF PRIVACY OFFICER WV HEALTHCARE AUTHORITY
NOVEMBER, 13, 2015
WHO IS HERE?
FOR THE NEXT 45 MINUTES OR SO...
Anticipate Cost of Data Breaches and Your Identity OCR Current Breach Stats PII versus PHI Breach versus Incident Respond Risk of Harm Mitigate
Why Privacy is so important
2015 COST OF A DATA BREACH2015
5
THE COST OF YOUR IDENTITY ON THE DARK WEB
DOB $11
Credit Card
$15
Credit Card &
DOB $11
Login Credentials
$20-$50
Sour
SSN $1
Driver’s Licenses
$10-$35
Partial EHR
$50
According to the Department of Health
and Human Services, “data about more
than 120 million people has been
compromised in more than 1,100
separate breaches at organizations
handling protected health data since
2009”
153,943,182
People 1,364
HITECH Act Breaches
Leading Cause of Breaches
• Theft
Leading Source of Breached Patient Data
• Laptops, Paper Records and Desktops
Hacking of network services continues to affect the most patients – more than 110 million individuals…
OCR HIPAA PATIENT COMPLAINTS AS OF SEPTEMBER 30
121,576 complaints received
34,710 under OCR jurisdiction
23,873 required corrective actions by
Covered Entities
10,837 cases with no violations
94% of all examined cases were resolved
559 complaints were referred to the
Department of Justice for possible criminal
prosecution
• Impermissible uses and disclosures of protected health information;
• Lack of safeguards of protected health information;
• Lack of patient access to their protected health
• information;
• Lack of administrative safeguards of electronic protected health information; and
• Use or disclosure of more than the minimum necessary
PRIVACY AREAS INVESTIGATED
• Private Practices;
• General Hospitals;
• Outpatient Facilities;
• Pharmacies; and
• Health Plans
• group health plans and health insurance issuers
CE’S REQUIRED TO TAKE CORRECTIVE ACTION
PII AND PHI…WHAT’S THE DIF?
Personally Identifiable
Information (PII)
Protected Health Information (PHI)
Payment Card Industry Data
Security Standard
(PCI-DSS)
Federal Tax Information (FTI)
Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in any form or medium (45 CFR 160.103)
Health information means any information, including genetic information, whether oral or recorded in any form or medium that:
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
INFORMATION WHICH DEFINITELY IDENTIFIES AN INDIVIDUAL
• Names;
• Geographic Subdivisions Smaller than a State (except some three digit zip codes);
• Dates Directly Related to an Individual (except years);
• Telephone Numbers;
• Fax Numbers;
• Electronic Mail Addresses;
• Social Security Numbers;
• Medical Record Numbers;
• Health Plan Beneficiary Numbers;
• Account Numbers;
• Certificate/Licenses Numbers;
• Vehicle Identifiers and Serial Numbers (including license plates numbers)
• Device Identifiers and Serial Numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) Address Numbers;
• Biometric Identifiers;
• Full Face Photographic Images (and comparable images); and,
• Any Other Unique Identifying Number, Characteristic, or Code.
25
http://blog.privatewifi.com/pii-chart-educates-against-identity-theft-fraud-scams/comment-page-1
• Incident: The acquisition, access, use, or disclosure of protected health information in a manner not permitted under HIPAA; and,
• Risk: Impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, demonstrates a low probability that the PHI has been compromised.
Definition of Breach (45 C.F.R. 164.402)
Incident Risk Breach
• Review the circumstances regarding the breach, conduct an investigation, complete a risk assessment, and determine necessary actions including involvement of enterprise, local law enforcement and legal counsel resources.
RESPOND
•Coordinate communications with all involved in the investigation, including patients, licensing and accrediting organizations, state and federal governmental agencies, etc.
RESPOND
• Retain all related Breach investigation documentation (to be maintained for a minimum of six years).
• Recommend resolution and corrective action steps (sanctions) to mitigate potential harm.
• Report results of the investigation to involved persons, entities, and agencies as recommended and/or required by law.
RESPOND
RISK OF HARM ASSESSMENT
STEP 1: REVIEW FOR EXCLUSIONS
Was the data encrypted?
Was the unintentional acquisition, access or use of PII (or PHI) made in good faith and within the scope
of authority of an individual or entity, for lawful purposes of the individual or entity, by a person or
business associate, and is not subject to further unauthorized use or disclosure?
HIPAA Only:
Was the PHI inadvertently disclosed by a person who is authorized to access PHI at a HIPAA
covered entity or business associate to another person authorized to access PHI at the same
covered entity, business associate, or organized health care arrangement in which the covered
entity participates, and the information received as a result of such disclosure was not further
used or disclosed in an unauthorized manner?
Does the HIPAA covered entity or business associate have a good faith belief that the unauthorized
person to whom the disclosure of PHI was made would not reasonably have been able to retain
such information?
If any of the above exclusions apply and you answered “Yes” to any of the questions above, there is no
breach and notification is not required. Document the decision.
STEP 2: IF NO EXCLUSIONS…
Complete the Risk of Harm Assessment
Analyze possible risk to affected individuals
Use your results as a guide to assist with notification
determination
RISK ASSESSMENT FACTORS HIGH RISK OF COMPROMISE
(2 POINTS)
MEDIUM TO LOW RISK OF COMPROMISE (1
POINT)
NO IMPACT
(0 POINTS)
RATING SCORE
The nature and extent of the PII
used or disclosed
Unauthorized use or disclosure of electronic PII (W.
Va. Code § 46A-2A-101 - An individual’s first name or
first initial and last name in combination with SSN,
driver’s license/State ID card, financial account
numbers).
Unauthorized use or disclosure of unsecured
Protected Health Information (PHI).
Unauthorized use or disclosure of electronic
PII associated with an individual (Excludes
PHI).
Unauthorized use or disclosure with no sensitive
PII.
The unauthorized recipient of the
use or disclosure (or who illegally
obtained the PII).
Untrusted/Unknown recipient.
Lost or stolen.
Trustworthy recipient- for example, an
individual with contractual obligations to the
department, or has confidentiality obligations
– such as an attorney or medical professional.
Trusted recipient - for example, a member of the
workforce.
Disposition of Unauthorized Use or
Disclosure. Assess what happened
after the initial use or disclosure of
PII?
PII was acquired.
Cyber Incident.
Obtained for personal gain/malicious harm.
PII was viewed/or partially viewed but not
acquired.
PII was not viewed or acquired.
The extent to which the risk to the
PII has been mitigated.
No mitigation.
Unable to retrieve PII.
Unsure of disposition or location.
PII is pending re-disclosure or already re-disclosed.
No security controls.
Security controls such as password or encryption
were compromised.
We have good-faith reason to believe that the
PII has not and will not be used or disclosed.
PII destroyed, but not confirmed.
Electronically deleted, but not confirmed.
We have good-faith reason to believe that the
PII has not and will not be used, disclosed, or
retained.
Data wiped.
Information/device meets security control
standards.
Any other factors or information which can assist in determining whether the PII was compromised:
NEXT STEPS…
STEP 3: CATEGORIZE FACTOR RATINGS POINTs:
Total score of 7 or 8 = High Risk: PII has been compromised.
Total score of 5 or 6 = Medium Risk: PII may have been compromised.
Total score of 4 or less = Low Risk or No Impact: There is likely a low risk of compromise or no impact.
STEP 4: IS NOTIFICATION REQUIRED?
EXAMPLE 1: STOLEN (OR LOST) LAPTOP
Laptop was recovered
Forensic analysis shows the PII was not accessed,
altered, transferred or otherwise compromised
EXAMPLE 2: UNAUTHORIZED DISCLOSURE
Unauthorized disclosed of PHI to a 3rd party who acquired
the data and plans to re-disclose the data to a marketing
company
The data file was unsecured
The data file contained unredacted electronic data
consisting of patient names, patient addresses and
diagnosis information
• A Covered Entity (CE) must mitigate (to the extent practicable) any harmful effect that is known to the CE of a use or disclosure of PHI that is in violation of its policies or procedures (or the privacy rule) by the CE or its Business Associate (BA).
MITIGATE
• A hospital discovers that the medical records of a VIP inpatient
have been accessed by numerous members of its work force by
bypassing certain IT firewalls that had been created to prevent
such access.
SCENARIO 2
• A recently hired medical records clerk at a psychiatric practice fails to secure
the medical records in the medical records file cabinet on a Friday afternoon.
That weekend, a group of painters who are painting the office see the
records, make copies of them, and take them to a local restaurant that
evening where they share them with other patrons. Upon hearing of this
incident on Monday morning, the practice’s office manager realizes that the
clerk failed to receive any training on security lock-up procedures for
medical records, and that no policies or procedures have been prepared
regarding work force training, mitigation of improper disclosures, or work
force sanctions. No privacy official has been appointed by the practice.
SCENARIO 3
• A pharmacy benefit manager (PBM) serves as a BA to your
organization’s sponsored group health plan. As required by the
privacy rule, the PBM and your organization (CE) have entered
into BA agreements. One morning, a customer service
representative inadvertently faxes PHI to the wrong fax number.
After realizing the mistake, the rep immediately notifies the
PBM’s privacy official of the error.