How HITRUST Uses Automated Verification ... - HITRUST Alliance
Incident response team Establish your team Planning ahead ... · resulted in the resolution...
Transcript of Incident response team Establish your team Planning ahead ... · resulted in the resolution...
Incident response team
Planning ahead facilitates effective breach response
Paula Moran, MEd, and Jennifer Edlind, JD,
CHC, know what they’re talking about when they say
having an incident response team in place when a data
breach occurs is important. Moran is privacy and secu-
rity manager at Massachusetts General Hospital (MGH)
in Boston Edlind is director of privacy and compliance
operations at University Hospitals Health System (UH) in
Cleveland.
Both organizations have established incident re-
sponse teams—and with the number of privacy viola-
tions on the increase, Moran and Edlind say privacy
and information security programs can benefit by doing
the same.
Establish your team
If a privacy incident is reported or detected, Moran
and Edlind recommend having a team in place to quickly
determine the impact and magnitude of the incident and
decide how to respond to meet data breach requirements.
HHS issued interim final breach notification regula-
tions in August
2009, as required
by the HITECH
Act—rules
expected to be
finalized very
soon. You can
access the regu-
lations at www.hhs.gov/ocr/privacy/hipaa/administrative/
breachnotificationrule/index.html.
When an incident occurs within a covered entity
(CE), it should be viewed as a hospital management
issue, rather than a privacy office problem, Moran says.
After all, the incident could involve many individuals
and affect a number of departments.
Understanding how the incident occurred and why
is critical. An incident response team enables everyone
to quickly gather at the same table to hear the same
information at the same time.
Who should be on your team?
Moran and Edlind recommend a team that includes
representatives from the following departments:
➤ Legal and risk management
➤ PR
➤ Human resources
➤ Information security
➤ Compliance/privacy officers
➤ Police and security
➤ Physicians and/or chiefs
➤ Research and the institutional review board
This month’s tip—
Learn what a compliance
officer needs to know about
responding to noncompliance
complaints on p. 12.
October 2012 Vol. 12, No. 10
IN THIS ISSUE
p. 4 Privacy and security lessons learned Healthcare organizations share their experiences.
p. 5 Campaign creates HIPAA awarenessData breach at Massachusetts General Hospital has silver lining.
p. 6 Sample incident response policyUse this sample policy to guide your organization’s response to a privacy or security incident.
p. 8 Sample sanctions policyUse this sample policy to develop sanctions for privacy and security breaches.
p. 11 HIPAA Q&AYou have questions; we have answers.
p. 12 Compliance building blocks A proactive approach helps ensure an appropriate response to noncompliance complaints.
Inside: Privacy & Security Primer
Page 2 Briefings on HIPAA October 2012
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Determine who your players are and who has re-
sponsibility for which tasks, says Edlind. These depart-
ments can play different roles. For example, PR can
ensure accurate information is provided to the media,
information security might assist with forensics, and
the security department might oversee an internal
investigation.
At MGH, the privacy office takes the lead to facili-
tate the meeting and assign responsibilities and action
items.
Legal concerns
The legal department is essential with respect to
providing advice and ensuring that you follow federal
breach notification rules and applicable state law.
Deciding whether your investigation of an incident will
be privileged is important.
“It’s really essential that each organization talk
to counsel about what is covered by attorney-client
privilege. That should be decided before you are thrust
into investigating a privacy or security incident,” says
Edlind.
A breach that involves multiple states could require
much expertise and possibly outside counsel. You could
face unique or conflicting notification requirements,
she says.
Communication issues
The incident response team will also face communi-
cation concerns. Who needs to know what and when
do they need to know it? Identify appropriate leaders
beforehand and communicate with them regularly when
an incident occurs.
When planning for various internal communica-
tions, limit the number of content editors, Moran
advises. Designate individuals who best understand the
situation to write, edit, and approve any communica-
tions. Delegate responsibility for managing and review-
ing all external communication to your PR department.
The member of this department who serves on the
incident response team knows firsthand what hap-
pened and can ensure that accurate information is
released, Moran says.
MGH experienced a data breach and subsequent
OCR investigation that resulted in a $1 million
resolution agreement in 2011. The incident that
resulted in the resolution agreement and corrective
action plan involved the loss of PHI of patients from
the hospital’s infectious disease associates outpatient
practice. During March of 2009, an employee who
took work home over the weekend left files on a
subway train, including a patient schedule and some
billing records.
Moran says she is frequently asked what happened
to the employee—whether the individual was disciplined
Briefings on HIPAA (ISSN: 1537-0216 [print]; 1937-7444 [online]) is published monthly by HCPro, Inc., 75 Sylvan St., Suite A-101, Danvers, MA 01923. Subscription rate: $349/year. • Briefings on HIPAA, P.O. Box 3049, Peabody, MA 01961-3049. • Copyright © 2012 HCPro, Inc. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent of HCPro, Inc., or the Copyright Clearance Center at 978-750-8400. Please notify us immediately if you have received an unauthorized copy. • For editorial comments or questions, call 781-639-1872 or fax 781-639-7857. For renewal or subscription information, call customer service at 800-650-6787, fax 800-639-8511, or email [email protected]. • Visit our website at www.hcpro.com. • Occasionally, we make our subscriber list available to selected companies/vendors. If you do not wish to be included on this mailing list, please write to the marketing department at the address above. • Opinions expressed are not necessarily those of BOH. Mention of products and services does not constitute endorsement. Advice given is general, and readers should consult professional counsel for specific legal, ethical, or clinical questions.
Managing Editor: Geri Spanek
Contributing Editors: Chris Apgar, CISSP, President Apgar & Associates, LLC, Portland, Ore.
Mary D. Brandt, MBA, RHIA, CHE, CHPS, Vice President of HIM Scott & White Healthcare, Temple, Texas
Joanne Finnegan
Jana H. Aagaard, Esq.Law Office of Jana H. Aagaard Carmichael, Calif.
Kevin Beaver, CISSPFounderPrinciple Logic, LLC Acworth, Ga.
Kate Borten, CISSP, CISMFounderThe Marblehead Group Marblehead, Mass.
John R. Christiansen, JDManaging DirectorChristiansen IT Law Seattle, Wash.
Ken Cutler, CISSP, CISAVice President MIS Training Institute Framingham, Mass.
Rick Ensenbach, CISSP-ISSMP, CISA, CISM, HITRUSTManagerWipfli, LLP Minneapolis, Minn.
Reece Hirsch, Esq.PartnerMorgan LewisOne Market, Spear Street Tower San Francisco, Calif.
Mac McMillan, CISSMCo-Founder and CEOCynergisTek, Inc. Austin, Texas
William M. Miaoulis, CISA, CISMCISO & HIPAA/HITECH Service Line LeaderPhoenix Health Systems Dallas, Texas
Phyllis A. Patrick, MBA, FACHE, CHCFounderPhyllis A. Patrick & Associates, LLC Purchase, N.Y.
Frank Ruelas, MBAPrincipalHIPAA College Casa Grande, Ariz.
Editorial Advisory Board Briefings on HIPAA
October 2012 Briefings on HIPAA Page 3
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
or terminated. She always declines to answer based on
the principle of also protecting the privacy of employees
involved in the incident.
External experts
One decision the incident response team must make
is whether to involve external experts. These might
include computer forensics specialists, legal counsel,
an insurance carrier, notification vendors, call center
vendors, and law enforcement.
The burden of proof is on the CE to demonstrate
that an incident is not a breach, says Edlind. However,
retaining outside computer forensic experts to determine
whether information was actually breached can be very
expensive.
UH initially relied on external experts to perform
forensic analysis, but ultimately brought the func-
tion in-house after purchasing forensics software
and providing training to its information security staff.
Contracting with vendors that can send notification
letters and staff a call center before a breach occurs is
a good idea, Moran says. Negotiating with a vendor
during a crisis is something you should try to avoid,
she says.
Whether you handle the notification process your-
self, staff a call center to respond to patient inquiries,
or hire a vendor could depend on the size of a breach,
says Moran.
Notification issues
If you determine your organization has experienced
a data breach, you must comply with federal breach
notification requirements. Making telephone calls to
affected patients in addition to sending notification
letters is a good idea whenever possible, says Moran.
A call offers an opportunity to explain what happened
so patients will know beforehand why they are receiving
notification letters.
In the subway case, clinicians involved with the
patients whose PHI was lost were also incredibly helpful,
she says.
In one instance, Moran called a patient who was hos-
pitalized at the time. The patient’s spouse answered and
was about to hand the telephone to the patient. Instead,
Moran went to the hospital room and spoke with the
patient in person.
“We want the patients to know we sincerely regret
what happened but also want to minimize further stress
by being sensitive in how we communicate to them.
Each case should be looked at on an individual basis,”
she says.
You should establish a process to answer patients’
questions once they receive a notification letter. Ensur-
ing that staff answer questions consistently, perhaps with
key talking points, is important.
Prevent future breaches
The work is not finished when the crisis is past,
Moran says.
“Things are never the same. For a time, there is no
returning to ‘normal,’ ” she says. The team should con-
duct a root cause analysis, digging down to determine
what happened and working to prevent any future
breaches. Ensure mitigation steps are followed through
to completion.
Track data to present at incident response team
meetings. UH uses a template to track specific in-
formation that helps the team identify trends, says
Edlind.
For example, the healthcare system found that
workforce members were not protecting the confi-
dentiality of their passwords. As a result, it provided
training that explained how to secure passwords, so
that workforce members wouldn’t write their pass-
words on identification badges visible to others, for
example. n
Contact Contributing Editor Joanne Finnegan
Email [email protected]
Questions? Comments? Ideas?
Page 4 Briefings on HIPAA October 2012
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Data breach experience teaches important lessons
Paula Moran, MEd, andJennifer Edlind, JD, CHC,
saytheylearnedimportantlessonswhileworkingwiththeir
incidentresponseteams.
Considerthefollowingtakeawayswithrespecttodata
breaches.
When, not if
Data breaches are not a matter of if, they
are a matter of when.Despiteprivacyandsecurity
officers’diligenteffortstopreventbreaches,something
inevitablyhappens,saysMoran,privacyandsecurity
manageratMassachusettsGeneralHospital(MGH)in
Boston.
“Everyorganizationisgoingtohaveanincident,”agrees
Edlind,directorofprivacyandcomplianceoperationsatUni-
versityHospitalsHealthSysteminCleveland.Therefore,plan-
ningproactivelytobeabletoreactwhenanincidentoccursis
essential.
Intent
Most individuals do not act with malicious intent.
HackersandindividualswhotrytoprofitfromaccessingPHI
aretheexceptionratherthantherule.
“Mostpeoplearetryingtodotherightthingand
protectconfidentiality,butmistakesaremade,”says
Moran.
Training
Regularly review and refresh your training pro-
gram with current information, both internal and
external.Providetrainingtoyourinternalstaffandbusiness
associatesthathandleyourPHI.
Edlindincorporatesincidentsthatoccuratherfacilityor
thatshereadsaboutinthenewstoillustratewhatcango
wrong.Casestudiescansupplementtheoreticalinforma-
tionaboutHIPAArequirementsandhelpstaffmembersun-
derstandhowtoapplytheorganization’spoliciestotheir
dailyactivitiesandhowtheiractionscouldresultinadata
breach.
“Maketrainingrelevantandinterestingtopeople,”she
says.“Dopeoplebringworkhome?Yes.Isthereaprop-
erwaytohandlethat?Yes.Ourgoalistoimpactpeople’s
decision-makingsotheyinstinctivelytaketherightsteps
toprotectpatientinformationorstoptoasksomeonefor
guidance.”
Awareness
Supplement training with other methods.
Alongwithtraditionaltrainingmethods,becreative,
saysMoran.
Aspartofitscorrectiveactionplan(CAP)withOCR
thatstemmedfromadatabreachinvolvingPHIthatwas
lostonasubwaytrain,MGHhad90daystoprovidetrain-
ingonnewpoliciesandprocedurestoallofitsworkforce
memberswhohaveaccesstoandusePHI.Buthospi-
talleadersalsorealized“weneedtokeeplearningalive,”
she says.ThePrivacyOfficecreatedanawarenesscam-
paigntodoso.
(FormoreonMGH’sawarenesscampaign,seetherelated
storyonp.5.)
Cultural change
Significant cultural change is necessary to
break down silos and implement a multidisci-
plinary incident response team.Muchofthework
MGHwasrequiredtodoasaresultoftheCAPwasdone
cross-functionally.
“We gotpeopletoreallythinkoutsideofthebox,”says
Moran.Variousdepartmentshelpedwiththerequirements
oftheCAP.For example,obtaininganidentificationbadge
requirescompletionoftheCAP-requiredtraining.Security
staffensurethataworkforcememberhasaprintedcertifi-
catetodemonstratethattrainingiscompletebeforetheyis-
sueanaccessIDbadge.
Communicate
Communicate key messages and simple action
steps to your employees.“Everyoneisfloodedwithinfor-
mation,”saysMoran.
Makeyourmessagestandoutandemphasizethe
point,shesays.Posters,positiveweeklystories,friendly
competitionbetweendepartments,andacknowledgement
ofstaffwhoaredoingtherightthingscanenergizethe
workforce.
October 2012 Briefings on HIPAA Page 5
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
HIPAA awareness POPPs at Boston hospital
HeightenedHIPAAprivacyandsecurityawareness
amongworkforcemembersisthesilverliningresulting
fromMassachusettsGeneralHospital’s(MGH)Corrective
ActionPlanthatstemmedfromadatabreachinvolvingPHI
thatwaslostonasubwaytrain.
“PeoplearepayingattentiontoHIPAAprivacyandsecu-
rity,”saysPaula Moran, MEd, PMP,privacyandsecurity
managerattheBostonhospital.
Moranandothersarecommittedtokeepingthemes-
sagealive,sothehospital’sprivacyofficelaunchedan
awarenesscampaigncalled“MGHersPOPP”—ProtectOur
Patients’Privacy.
ThecampaignaimstoremindtheMGHworkforce
tostopandthinkbeforedoinganythingthatcould
compromisepatientprivacy,saysMoran.Shewants
staffmemberstostopandaskthemselves“doesthis
POPP?”whethertheyaretransportingPHIonalaptop
computer,discussingpatientcare,orsendingafaxthat
containsPHI.
“It’saverycreativeapproachtosupplementtraditional
methodsoftrainingandcommunication,”saysMoran.Pri-
vacyofficestaffmemberswalkthroughthehallwaysinthe
Sample working off-site security agreement
IacknowledgethatIhavereadandwillabidebyABCOrganization’sinformationsecuritypoliciesasapplicabletome,
includingtheoff-siteworksecuritypolicy(acopyofwhichIhavereceived).IagreetoprotectABCOrganization’sconfidential
data,inanyform,whenIamaccessingand/orusingitwhileawayfromthefacility.Further,Iagreetoasecurityauditofmy
off-siteworklocationifandwhenrequestedbyABCOrganization.
Name:
Signature:
Date:
Please return this form to the Information Security Officer, ABC Organization.
hospitalanddistributelolliPOPPstostaffasathankyouto
thestaffmemberswhostrivetoprotectpatientprivacyev-
eryday.
APOPPcart,decoratedwiththecampaignlogo,isvis-
ibleatemployeeevents.PrivacyofficestaffdistributePOP-
PcornandPOPP-Tarts®,aswellasthank-youbasketsto
workforcemembers.Staffmembersalsocreatedbright
andcolorfulposters,withphotographsofworkforcetes-
timonialsfromstaffdemonstratinghowtheyprotectpa-
tientprivacy.Thecampaignalsoincludesweekly“POPP
Pointers”toremindworkforcemembersaboutHIPAAbest
practices.
Workforcememberscanparticipateincontestsandraf-
flesforprizegiveawaysbysubmittingentriesthatdescribe
howtheyPOPP.Prizesincludeitemssuchasgiftcertifi-
catestoBoston’sPopsRestaurant,ticketstothe
BostonPopsOrchestra,orabagfromtheCoach™
Poppyline.
MoranisproudofMGH’scommitmentandhopesthat
sharingherfacility’scampaigncanhelpotherhospitals
findwaystoincreaseHIPAAawarenessamongtheirstaff
members.
Source: TheNo-HassleGuidetoHIPAAPolicies:APrivacyandSecurityToolkit, Updatedfor2009, published by HCPro, Inc.
Page 6 Briefings on HIPAA October 2012
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Sample privacy and security incident response policy
Title:Privacyandsecurityincidentresponse
Policy:Thisorganizationwilldevelopandmaintainaprivacyandsecurityincidentresponseplanthatincludesreportingof
asuspectedincident,theresponseteam’scompositionandresponsibilities,andprocessesforinvestigationandmanagement
ofthisorganization’sresponse,includingexternalnotificationasappropriateandmitigationofanyharmfuleffectsofthe
incident.
Purpose:Thispolicyisdesignedtomitigateanyharmfuleffectsofaprivacyorsecurityincidentrelatedtoourprotected
informationandsystemassets,andtoreducethelikelihoodofasimilarincidentinthefuture.Italsoisintendedtocomply
withregulatoryrequirements,including,butnotlimitedto,HIPAA’sprivacyandsecurityrulesandtheAmericanRecoveryand
ReinvestmentActof2009(RecoveryAct).
Scope:Thispolicyappliestoincidentsincludingviolationsofourprivacyandsecuritypoliciesandproceduresbyworkforce
andagentsandbreachesbyknownorunknownexternalparties.HIPAA’sSecurityRuledefinesa“securityincident”asan
“attemptedorsuccessfulunauthorizedaccess,use,disclosure,modification,ordestructionofinformationorinterferencewith
systemoperationsinaninformationsystem.”Thispolicyspecificallyextendstoourconfidentialinformationassetsinanyform
andisnotlimitedtoelectronicsystems,devices,andmedia.
GENERAL RULES:
1. Reporting
Proceduresandmechanisms(e.g.,Webformorhelpdeskcalls)willbedevelopedandmaintainedforreportingsuspected
andactualprivacyandsecurityincidents.Thesewillbereadilyavailabletoourworkforce,ouragentsandpartners,andour
patientsandcustomers.
2. Incident criticality
Guidelinesforcategorizinganincident’scriticalitywillbedevelopedandmaintainedtoensurethatourresponseactionsare
timedappropriatelyfortheleveloftheincident’sactualorpotentialimpactontheorganizationandthepeopleweserve.
3. Incident response team (IRT)
Atwo-tieredIRTwillbeestablishedandmaintainedwithacoreorprimaryteamoffirstrespondersandasecond-tierteam
ofexpertsincludedonanas-neededbasis.Theresponseteamleaderwillhaveadesignatedbackupatalltimes.Roles,re-
sponsibilities,linesofauthority,communicationsandcalllists,andotherrelevantmaterialswillbedocumentedandkept
current.
4. Response guidelines
Guidelineswillbedeveloped,reviewed,andmaintainedforkeystepsinourresponseprocess.Thesewillinclude,butnotbe
limitedto,computerforensicsmeasures,communicationswithlawenforcement,andlegalsteps.
5. Breach notification
Asacriticalpartofourresponseguidelines,detailedbreachnotificationprocedureswillbedevelopedandkeptuptodate
withstateandfederallegalrequirements.Theseprocedureswillincludemeanstodeterminewhethertheinformationwas
encrypted,thenumberofindividualswhoserecordshavebeenbreached,andindividuals’namesandcontactinformation.
Notificationprocedureswillincludetimeliness,content,andmeansofnotifyingindividualsasrequiredundertheRecovery
ActTitleXIIISubtitleD.ProcedureswillalsodescribewhengovernmentagenciessuchastheU.S.DepartmentofHealthand
HumanServicesmustalsobenotified.
October 2012 Briefings on HIPAA Page 7
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
6. Documentation
Wewilldevelopandsecurelymaintainanincidentdatabaseforthepurposesoftrackingincidentscurrentlyunderinves-
tigationandretrospectiveperiodicreviewofincidents.Thesedetailedrecordswillbeclassifiedasconfidentialbusiness
materials.
7. Post-incident wrap-up
Wewilldevelopandmaintainaprocessforpost-incidentreview.Thisprocesswilllookforlessonslearnedanddetermineif
longer-rangeactionsareneededtopreventsimilarincidentsinthefuture.
8. Testing
Wewillperiodicallyreviewandtestourincidentresponseprocesses.Wewillupdateprocessesasneededforcontinuous
improvement.
9. Business associates (BA)
OurincidentresponseprocedureswillbecoordinatedandtestedwithourBusinessAssociates(BA)andotherthirdparties
asappropriate.BAswillberequiredtodemonstratetheirregulatorycomplianceasitaffectsourprotectedhealthinforma-
tion(PHI)andotherconfidentialinformationassets.
10. Incident examples
Someexamplesofprivacyandsecurityincidentsinclude,butarenotlimitedto,thefollowing:
➤ Aworkforcememberoragentwithauthorizedaccesstoadatabaseknowinglyviewingarecordinthedatabase
whenthereisnobusinessreasontodoso.Thisisapolicyviolation,eveniftheindividualdoesnotredisclosethe
contentofthe record.
➤ AworkforcememberwhopressuresanotherworkertosharehisorheruserIDandpassword,eveniftheintentisfor
businesspurposes.
➤ Aworkforcememberwholeavesanunattendedworkstationinanopenworkarealoggedontoconfidential
data.
➤ AworkforcememberdownloadingsoftwarethatisnotpermittedundertheAcceptableUsePolicy.
➤ Anunauthorizedthirdparty(“hacker”)usingavaliduserIDandpasswordtogainaccesstoourelectronicnetwork
and/orsystems.
➤ Anunauthorizedthirdpartyseekingconfidentialinformation,suchasapassword,bypretendingtobeanindividual
authorizedtoobtainsuchinformation(“socialengineering”).
➤ AnemailpurportingtobefromanauthorizedpartyorotherfalsecredentialsusedtoobtainPHIorotherconfidential
information.
➤ Asoftwarevirusorworm(“malware”)interferingwiththefunctioningofpersonalcomputersthatarepartofan
informationsystem.
➤ Anindividualpresentingasapatientbutwithfalsifiedidentification(medicalidentitytheft).
Sample privacy and security incident response policy (cont.)
Source: TheNo-HassleGuidetoHIPAAPolicies:APrivacyandSecurityToolkit, Updatedfor2009,published by HCPro, Inc.
Page 8 Briefings on HIPAA October 2012
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Sample privacy and security violations sanctions policy
Title:Privacyandsecurityviolationssanctions
Policy:Violationsofourprivacyandinformationsecuritypoliciesandproceduresaretakenseriouslyandwillresultin
sanctions.Theworkforcewillberemindedatleastannuallythroughourworkforceawarenessprogramofthepotential
consequences.
Sanctionsmayinclude:
➤ Oralorwrittenwarnings
➤ Immediateterminationofemployment,ofworkagreementwithstudents/traineesandvolunteers,and/orofbusiness
contract,asappropriate
➤ Externalreporting,possiblyresultingincivilandcriminallegalconsequences:
– Togovernmentagencies,suchastheSecretaryofHealthandHumanServices
– Tolawenforcement
– Tolicensingandregistrationboards
Purpose:Thisorganizationiscommittedtoensuringtheprivacyandsecurityofinformationunderourprotection.Weintend
thesesanctionstoserveasadeterrenttoviolations.UnderregulationssuchasHIPAAPrivacyandSecurityrules,weareobli-
gatedtoenforceourprivacyandsecuritypoliciesandprocedures.Therefore,whensuchpoliciesandproceduresareviolated,
wewillrespondbymitigatingbreachesandsanctioningthoseresponsible.
Scope:Thispolicyappliestoourfullworkforce.Itcoversallprivacyandinformationsecuritypolicies,standards,rules,and
procedures.Further,itappliesevenwhenaninstanceisnotexplicitlyprohibited,butwhenitisclearlycountertotheintent
of thebodyofpolicies,procedures,etc.
GENERAL RULES:1. Reporting
Workforcemembersandbusinessassociatesmustreportactualandsuspectedviolationsandbreaches.Failuretoreporta
breachofwhichonehasknowledgemayresultindisciplinaryaction.Falselyreportingabreachinbadfaithorformalicious
reasonswillresultindisciplinaryaction.
2. Sanctions
Workforcesanctionswillbebasedon:
➤ Theseverityoftheviolationanditsimpact
➤ Whethertheviolationwasintentionaland,ifso,whattheintentwas
➤ Whethertheviolationispartofapatternofimproperbehaviorregardingprivacyandsecurity
Mitigatingfactorswillbeconsidered.
Thisorganizationwillproactivelydevelopandmaintainsanctionguidelinesthat(a)reflecttheabovefactorsand(b)apply
todifferentgroupswithintheorganization’sworkforce(suchasemployees,doctors,volunteers,etc.).Theseguidelineswill
beusedtoassistinhandlingspecificcases.Inaddition,guidelineswillbedevelopedtospecifywhointheorganization
willdeterminewhenthemostserioussanctionsaretobeinvoked,suchasnotifyinglawenforcement.
3. Sanction review
Beforeitisimposed,aproposedsanctionwillbereviewedbytheprivacyofficer(PO)and/orinformationsecurityofficer
(ISO)toensureappropriateness,consistency,andfairnessacrossallmembersoftheworkforce.
4. Documentation
Eachcasewillbedocumentedandfiledintheworkforcemember’srecord,whereitwillberetainedforaminimum
ofsixyears.(NotethatthisdocumentationisdistinctfromtheincidentreportingandresponseformkeptbythePO
andISO.)
October 2012 Briefings on HIPAA Page 9
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Documentationmustinclude:
➤ Nameofworkforcemember
➤ Name(s)androle(s)ofdecision-maker(s)forthecase
➤ Descriptionoftheviolation(withoutinclusionofanyprotectedinformationexceptif/asnecessary)
➤ Othercircumstances,eithermitigatingordamaging
➤ Date(s)andtime(s)ofviolation
➤ Realandpotentialconsequences
➤ Sanction(s)applied(includingacompleterecordofanyexternalreporting)
5. Incident analysis and mitigation
Duringandfollowingthisprocess,theorganizationwillanalyzetheconsequencesofthebreachorviolationandconsider
whethermitigationmeasuresmustbetakentoprotectapatient,astaffmember,theorganization,etc.Thisprocessispartof
thisorganization’sprivacyandsecurityincidentresponseplan.
6. Exceptions
WorkforcemembersarenotconsideredtohaveviolatedHIPAAifthedisclosureofPHIisasfollows.
Whistleblowers:Sanctionswillnotapplytodisclosuresbyworkforcemembersactingingoodfaith:
➤ Inthebeliefthatthisorganizationhasengagedinconductthatisunlawfulorotherwiseviolatesprofessionalorclinical
standards;
➤ Orthatcareorservicesprovidedbythisorganizationpotentiallyendangerpatients,employees,ormembersofthepublic;
➤ Orthedisclosureismadetoafederalorstatehealthoversightagencyorpublichealthauthorityauthorizedbylawto
overseetherelevantconductorconditionsofthecoveredentity;
➤ Orthedisclosureismadetoanappropriatehealthcareaccreditationorganizationforthepurposeofreportingthe
allegationoffailuretomeetprofessionalstandardsormisconductbythisorganization;
➤ Orthedisclosureismadetoanattorneyretainedbyoronbehalfoftheworkforcememberorbusinessassociatefor
thepurposeofdetermininglegaloptionsregardingdisclosureconduct
Crimevictims:AcoveredentityisnotconsideredtohaveviolatedHIPAA’sPHIuseanddisclosurerequirementsifamember
ofitsworkforcewhoisthevictimofacriminalactdisclosesPHItoalawenforcementofficialaboutthesuspectedperpetra-
torofthecriminalact,andthedisclosedPHIislimitedtoidentificationandlocationpurposes.
7. Nonretaliation
Thisorganizationwillnotintimidate,threaten,coerce,discriminateagainst,ortakeanyotherretaliatoryactionagainstan
individualwho:
➤ Exerciseshisorherrightsorparticipatesinthisorganization’scomplaintprocess;or,
➤ FilesacomplaintwiththeSecretaryofHealthandHumanServices,OfficeforCivilRights,orCentersforMedicare&
MedicaidServices;or,
➤ Testifies,assists,orparticipatesinaninvestigation,compliancereview,proceeding,orhearing;or,
➤ OpposesanyactorpracticeunlawfulunderHIPAA,providingthattheindividualactedingoodfaith,believingthatthe
practicewasunlawful,themannerofoppositionisreasonable,andtheoppositiondoesnotinvolvedisclosureofPHIin
violationofHIPAAregulations
Sample privacy and security violations sanctions policy (cont.)
Source: TheNo-HassleGuidetoHIPAAPolicies:APrivacyandSecurityToolkit, Updatedfor2009,published by HCPro, Inc.
Page 10 Briefings on HIPAA October 2012
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
BOH Subscriber Services Coupon Your source code: N0001
Name
Title
Organization
Address
City State ZIP
Phone Fax
Email address(Required for electronic subscriptions)
q Payment enclosed. q Please bill me.
q Please bill my organization using PO #
q Charge my:qAmEx qMasterCard qVISA qDiscover
Signature(Required for authorization)
Card # Expires(Your credit card bill will reflect a charge from HCPro, the publisher of BOH.)
q StartmysubscriptiontoBOHimmediately.
Options No. of issues Cost Shipping Total
q Print&Electronic 12issuesofeach $349(BOHPE) $24.00
q Electronic 12issues $349(BOHE) N/A
Sales tax (see tax information below)*
Grand total
Order online at www.hcmarketplace.com.
Be sure to enter source code N0001 at checkout!
Mail to:HCPro, P.O.Box3049,Peabody,MA01961-3049Tel:800-650-6787Fax:800-639-8511Email:[email protected]:www.hcmarketplace.com
For discount bulk rates, call toll-free at 888-209-6554.
*Tax InformationPlease include applicable sales tax. Electronic subscriptions are exempt. States that tax products and shipping and handling: CA, CO, CT, FL, GA, IL, IN, KY, LA, MA, MD, ME, MI, MN, MO, NC, NJ, NM, NV, NY, OH, OK, PA, RI, SC, TN, TX, VA, VT, WA, WI, WV. State that taxes products only: AZ. Please include $27.00 for shipping to AK, HI, or PR.
Help workforce learn from the mistakes of others Experience is said to be the best teacher, so learn from
the mistakes made at other organizations.
Incorporate the following scenarios and OCR resolution
agreements during HIPAA training at your organization.
Medical record copy feesA patient complained that a covered entity failed to
provide access to his medical records.
OCR notified the covered entity of the allegation. The
entity released the patient’s medical records, but also
billed him $100.00 for a “records review fee” and an
administrative fee.
The HIPAA Privacy Rule permits the imposition of a
reasonable cost-based fee that includes only the cost of
copying and postage and preparing an explanation or
summary if agreed to by the individual.
To resolve this matter, the covered entity refunded the
$100.00 “records review fee.”
Telephone messages A hospital employee failed to observe minimum nec-
essary requirements when she left a telephone message
with the daughter of a patient that detailed her medical
condition and treatment plan.
An OCR investigation indicated that the confidential
communications requirements were not followed be-
cause the employee left the message at the patient’s home
despite the patient’s instructions to call her at work.
To resolve the issues in this case, the hospital devel-
oped and implemented new procedures. Employees
were trained to provide only the minimum necessary
information in messages and received specific direc-
tion regarding what information could be left in a
message.
Employees also were trained to review registration
information for patient contact directives regarding mes-
sages. The new procedures were incorporated in stan-
dard privacy training, both as part of a refresher series
and mandatory annual compliance training.
Former spouse’s medical recordsA nurse practitioner who has privileges at a multi-
hospital healthcare system impermissibly accessed the
medical records of her former husband.
To resolve this matter and to prevent a recurrence, the
covered entity terminated the nurse practitioner’s access
to its electronic records system, reported her conduct to
the appropriate licensing authority, and gave her reme-
dial Privacy Rule training. n
Editor’snote:AdditionalinformationaboutOCRresolu-
tionagreementsisavailableathttp://www.hhs.gov/ocr/
privacy/hipaa/enforcement/examples/casebyentity.
html#2generalhospital.
October 2012 Briefings on HIPAA Page 11
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Q Other provider offices, pharmacies, and labora-
tories contact our office when our patients don’t
provide all of the insurance information necessary
for billing purposes. This occurs when patients don’t
return telephone calls. Is providing this information
without contacting the patient permissible?
A Yes. The Privacy Rule permits covered entities
to share PHI with other covered entities (e.g.,
providers, pharmacies, laboratories) without patient
authorization if: (1) the information is needed for the
other covered entity’s healthcare operations, and (2)
both covered entities have a relationship with the
patient.
Q Does HIPAA require medical facilities to notify
patients when they are going out of business?
Must a medical facility that is going out of business
notify patients and provide a location where patient
records are accessible? How long after closing must
records be accessible?
A The Privacy Rule does not require medical
facilities to notify patients when they go out of
business, but state law may do so.
Laws vary from state to state, but many states de-
scribe specific processes for providing notice to patients
so they may obtain copies of their records. Records
must remain accessible for the minimum retention
period required by state law.n
Editor’snote:Brandtisvicepresidentofhealthinformation
managementatScott&WhiteHealthcareinTemple,Texas.
She isanationallyrecognizedexpertonpatientprivacy,infor-
mationsecurity,andregulatorycompliance.Herpublications
providedsomeofthebasisforHIPAA’sprivacyregulations.
byMaryBrandt,MBA,RHIA,CHE,CHPS
Q As part of its fundraising effort, Hybrid
Entity’s cancer center wants to send a patient
list (demographic information only) to Hybrid’s
development office, which is not designated as
a healthcare component of Hybrid. Is this permissible?
ABC is sharing demographic information only.
Does generation of this list by a specialty clinic divulge
information about the type of treatment?
A Covered entities may use or disclose limited PHI
to business associates or institutionally related
foundations for fundraising.
The development office is considered part of Hybrid
Entity and does not have to be specifically designated
as a healthcare component. Patient authorization is
not required to use PHI for fundraising, but covered
entities must tell patients about this use in their Notice
of Privacy Practices.
A patient list from the cancer center may reveal
general information about a patient’s condition, but
using only demographic information and dates of
service for internal fundraising is acceptable.
Q Does accessing your own medical records violate
HIPAA? Hospital policy prohibits employees from
accessing their own medical records.
A The Privacy Rule gives individuals the right to
access their PHI, but many healthcare organi-
zations require employees to request copies of their
PHI like any other patient. If hospital policy prohibits
employees from directly accessing their own records,
the hospital may enforce that policy, as long as it
gives employees another channel to request access to
their records.
HIPAA Q&A
Fundraising, other providers, going out of business
Page 12 Briefings on HIPAA October 2012
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Compliance building blocks
Responding appropriately to complaints of noncompliance
An important part of a compliance officer’s job is
responding to noncompliance complaints.
A process and procedures to ensure that anyone who
complains about noncompliant activities will not be
subject to retaliation is necessary, says Frank Ruelas,
MBA, principal of HIPAA College in Casa Grande, Ariz.
Complaints may be perceived negatively, but they
have a positive side, Ruelas says. Consider medication
errors. If staff members don’t report them, the incidence
may appear low when, in fact, a bigger problem exists.
A measure of effectiveness
Complaints can be an indicator of program effective -
ness. Awareness of a problem allows you to educate your
workforce and correct mistakes, he says.
Train your workforce on how to report items that
must come to your attention, he says. You want staff
members to report possible violations, especially if they
suspect incidents might result in a breach of PHI. If staff
members are not following policies and procedures de-
signed to protect privacy and security, you want to know
about it.
Monitor all complaints
Compliance officers must carefully monitor complaints.
How many occur monthly? What is their origin? Does one
area generate more complaints than others? Investigate
why this is happening. Are complaints not reaching the
compliance officer? Why not? Is a department director
acting as a filter so that incidents aren’t reported?
A compliance officer must have access to the CEO and
board of trustees to facilitate reporting complaints and
problems to the highest level of authority, he says. The
path should be as clean as possible.
Nonretaliation for reporting
If someone reports a compliance problem in good
faith, there must be a clear expectation of nonretaliation,
Ruelas says. You want individuals with good intent to
come forward with any compliance incidents. Educate
staff about whistleblower protections.
A process for complaints
Create a process for alerting the compliance officer
about complaints. Problems can be reported in writing,
electronically, in person, or via recorded messages left on
a hotline.
Regardless of method, ensure that staff have the abil-
ity to raise a red flag about compliance problems. Many
organizations create hotlines to allow workforce mem-
bers and patients to report complaints. Some organiza-
tions encourage workforce members to fax complaints to
a designated location.
Ensure that new workforce members know how to
submit complaints and remind all workforce members
about the submission process via newsletters and email.
Create a process to ensure that you deal with complaints
and respond to them.
Internal and external complaints
Staff and patients may also file external complaints
with a federal agency. If this occurs, remain focused.
Don’t get personally involved; keep your mind on the in-
cident, says Ruelas. “This may be one of the most difficult
mental and professional hurdles to overcome,” he says.
Maintain a neutral perspective, identify the relevant facts,
and move forward. Don’t let anything compromise your
review of and response to a complaint, he says.
Consider whether you have resources to investigate.
At times, you may need assistance. Some issues could be
so complex or volatile that you need a third party to help
investigate them, Ruelas says.n
Editor’snote:Thisisthefourthpartinourseriesoncompli-
ancefeaturingRuelas.Inthisseries,heintroducesbasicprinci-
plesprovenhelpfulinestablishingeffectivecomplianceprograms.
A supplement to Briefings on HIPAA
A training tool for healthcare staff
Privacy & SecurityPrimer
BOH, P.O. Box 3049, Peabody, MA 01961-3049 Phone: 781-639-1872 Fax: 781-639-7857
Privacy & Security
October 2012
PrimerTips from this month’s issue
Incident response teams (p. 1)
1. An organization’s incident response team should
include representatives from these departments:
− Legal and risk management
− PR
− Human resources
− Information security
− Compliance/privacy officers
− Police and security
− Physicians and/or chiefs
− Research and the institutional review board
2. HHS issued interim final breach notification regu-
lations in August 2009, as required by the HITECH
Act—rules expected to be finalized very soon.
Access the regulations at www.hhs.gov/ocr/privacy/
hipaa/administrative/breachnotificationrule/index.html.
3. If an incident is reported or detected, you should
have a team in place to quickly determine the
impact and magnitude of the incident and decide
how to respond to meet data breach requirements.
4. When an incident occurs within a covered entity,
it should be viewed as a hospital management
issue rather than a privacy office problem. It could
involve many individuals and several departments.
5. Knowing how the incident occurred and why is
critical. An incident response team enables everyone
to hear the same information at the same time.
6. When a breach occurs, conduct a root cause
analysis. This can help prevent future breaches.
Privacy and security incident response
policy (p. 6)
7. Develop and maintain a privacy and security
incident response plan that includes reporting of a
suspected incident, the response team composition
and responsibilities, and processes for investigation
and management of the organization’s response,
including external notification as appropriate and
mitigation of any harmful effects of the incident.
8. Design a policy to mitigate any harmful effects of
a privacy or security incident related to protected
information and system assets, and to reduce the
likelihood of a similar incident in the future.
9. Design a policy that addresses reporting, incident
criticality, the incident response team, response
guidelines, breach notification, documentation,
post-incident wrap-up, testing, business associates,
and incident examples.
10. Examples of privacy and security incidents include:
− A workforce member with authorized access to a
database knowingly viewing a record in the data-
base when there is no business reason to do so
− A workforce member who pressures another
worker to share his/her user ID and password
− A workforce member who leaves an unattended
workstation in an open work area logged on to
confidential data
− A workforce member downloading software that
is not permitted under the acceptable use policy
© 2012 HCPro, Inc. For permission to reproduce part or all of this newsletter for external distribution or use in educational packets, contact the Copyright Clearance Center at www.copyright.com or 978-750-8400.
Privacy and Security Primer is a monthly, two-page Briefings on HIPAA insert that provides background information that privacy and security officials can use to train their staff. Each month,
we discuss the privacy and security regulations and cover one topic. October 2012.
− An unauthorized third party using a valid user ID
and password to gain access to an electronic net-
work and/or systems
− An unauthorized third party seeking confidential
information by pretending to be an individual
authorized to obtain such information
− An email purporting to be from an authorized
party or other false credentials used to obtain PHI
or other confidential information
− A software virus or worm interfering with the
functioning of personal computers that are part
of an information system
− An individual presenting as a patient but with
falsified identification
Privacy and security violations sanctions
policy (p. 8)
11. Organizations should develop a policy that ensures
that privacy and security violations are taken
seriously and result in sanctions. Remind the
workforce of the potential consequences annually
through a workforce awareness program.
12. Privacy and security violations sanctions may include:
− Oral or written warnings
− Immediate termination of employment, of work
agreement with students/trainees and volunteers,
and/or of business contract, as appropriate
− External reporting, possibly resulting in civil and
criminal legal consequences:
− To government agencies, such as the Secretary
of Health and Human Services
− To law enforcement
− To licensing and registration boards
13. An organization should not intimidate, threaten,
coerce, discriminate against, or take any other
retaliatory action against an individual who:
− Exercises his or her rights or participates in the
organization’s complaint process
− Files a complaint with the Secretary of Health
and Human Services, OCR, or CMS
− Testifies, assists, or participates in an investigation,
compliance review, proceeding, or hearing
− Opposes any act or practice unlawful under
HIPAA, providing that the individual acted
in good faith, believing that the practice was
unlawful, the manner of opposition is reason-
able, and the opposition does not involve disclo-
sure of PHI in violation of HIPAA regulations
Compliance building blocks (p. 12)
14. Train your workforce how to report possible
violations, especially if they suspect incidents
might result in a breach of PHI.
15. Compliance officers must carefully monitor com-
plaints. How many occur monthly? What is the
origin? Does one area generate more complaints
than others? Are complaints not reaching the
compliance officer? Why not?
16. A compliance officer must have access to the
organization’s CEO and board of trustees to facili-
tate reporting complaints and problems to the
highest level of authority. The path should be as
clean as possible.
17. If someone comes forward in good faith to report a
compliance problem, there must be a clear expec-
tation of nonretaliation. You want individuals
with good intent to come forward with any
incidents related to compliance with all federal
regulations, including HIPAA. Educate staff about
whistleblower protections.
18. Ensure that new workforce members know how
to submit complaints to the compliance officer and
remind all workforce members of the submission
process via newsletters and email. Create a pro-
cess to ensure that you deal with complaints and
decide how to respond to them.