TERRI L. BARRETT, PHD, CIPM WV EXECUTIVE BRANCH

DEPUTY CHIEF PRIVACY OFFICER WV HEALTHCARE AUTHORITY

NOVEMBER, 13, 2015

WHO IS HERE?

FOR THE NEXT 45 MINUTES OR SO...

Anticipate Cost of Data Breaches and Your Identity OCR Current Breach Stats PII versus PHI Breach versus Incident Respond Risk of Harm Mitigate

Why Privacy is so important

2015 COST OF A DATA BREACH2015

5

THE COST OF YOUR IDENTITY ON THE DARK WEB

DOB $11

Credit Card

$15

Credit Card &

DOB $11

Login Credentials

$20-$50

Sour

SSN $1

Driver’s Licenses

$10-$35

Partial EHR

$50

According to the Department of Health

and Human Services, “data about more

than 120 million people has been

compromised in more than 1,100

separate breaches at organizations

handling protected health data since

2009”

153,943,182

People 1,364

HITECH Act Breaches

Leading Cause of Breaches

• Theft

Leading Source of Breached Patient Data

• Laptops, Paper Records and Desktops

Hacking of network services continues to affect the most patients – more than 110 million individuals…

OCR HIPAA PATIENT COMPLAINTS AS OF SEPTEMBER 30

121,576 complaints received

34,710 under OCR jurisdiction

23,873 required corrective actions by

Covered Entities

10,837 cases with no violations

94% of all examined cases were resolved

559 complaints were referred to the

Department of Justice for possible criminal

prosecution

• Impermissible uses and disclosures of protected health information;

• Lack of safeguards of protected health information;

• Lack of patient access to their protected health

• information;

• Lack of administrative safeguards of electronic protected health information; and

• Use or disclosure of more than the minimum necessary

PRIVACY AREAS INVESTIGATED

• Private Practices;

• General Hospitals;

• Outpatient Facilities;

• Pharmacies; and

• Health Plans

• group health plans and health insurance issuers

CE’S REQUIRED TO TAKE CORRECTIVE ACTION

PII AND PHI…WHAT’S THE DIF?

Personally Identifiable

Information (PII)

Protected Health Information (PHI)

Payment Card Industry Data

Security Standard

(PCI-DSS)

Federal Tax Information (FTI)

Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in any form or medium (45 CFR 160.103)

Health information means any information, including genetic information, whether oral or recorded in any form or medium that:

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

INFORMATION WHICH DEFINITELY IDENTIFIES AN INDIVIDUAL

• Names;

• Geographic Subdivisions Smaller than a State (except some three digit zip codes);

• Dates Directly Related to an Individual (except years);

• Telephone Numbers;

• Fax Numbers;

• Electronic Mail Addresses;

• Social Security Numbers;

• Medical Record Numbers;

• Health Plan Beneficiary Numbers;

• Account Numbers;

• Certificate/Licenses Numbers;

• Vehicle Identifiers and Serial Numbers (including license plates numbers)

• Device Identifiers and Serial Numbers;

• Web Universal Resource Locators (URLs);

• Internet Protocol (IP) Address Numbers;

• Biometric Identifiers;

• Full Face Photographic Images (and comparable images); and,

• Any Other Unique Identifying Number, Characteristic, or Code.

25

http://blog.privatewifi.com/pii-chart-educates-against-identity-theft-fraud-scams/comment-page-1

• Incident: The acquisition, access, use, or disclosure of protected health information in a manner not permitted under HIPAA; and,

• Risk: Impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, demonstrates a low probability that the PHI has been compromised.

Definition of Breach (45 C.F.R. 164.402)

Incident Risk Breach

• Review the circumstances regarding the breach, conduct an investigation, complete a risk assessment, and determine necessary actions including involvement of enterprise, local law enforcement and legal counsel resources.

RESPOND

•Coordinate communications with all involved in the investigation, including patients, licensing and accrediting organizations, state and federal governmental agencies, etc.

RESPOND

• Retain all related Breach investigation documentation (to be maintained for a minimum of six years).

• Recommend resolution and corrective action steps (sanctions) to mitigate potential harm.

• Report results of the investigation to involved persons, entities, and agencies as recommended and/or required by law.

RESPOND

RISK OF HARM ASSESSMENT

STEP 1: REVIEW FOR EXCLUSIONS

Was the data encrypted?

Was the unintentional acquisition, access or use of PII (or PHI) made in good faith and within the scope

of authority of an individual or entity, for lawful purposes of the individual or entity, by a person or

business associate, and is not subject to further unauthorized use or disclosure?

HIPAA Only:

Was the PHI inadvertently disclosed by a person who is authorized to access PHI at a HIPAA

covered entity or business associate to another person authorized to access PHI at the same

covered entity, business associate, or organized health care arrangement in which the covered

entity participates, and the information received as a result of such disclosure was not further

used or disclosed in an unauthorized manner?

Does the HIPAA covered entity or business associate have a good faith belief that the unauthorized

person to whom the disclosure of PHI was made would not reasonably have been able to retain

such information?

If any of the above exclusions apply and you answered “Yes” to any of the questions above, there is no

breach and notification is not required. Document the decision.

STEP 2: IF NO EXCLUSIONS…

Complete the Risk of Harm Assessment

Analyze possible risk to affected individuals

Use your results as a guide to assist with notification

determination

RISK ASSESSMENT FACTORS HIGH RISK OF COMPROMISE

(2 POINTS)

MEDIUM TO LOW RISK OF COMPROMISE (1

POINT)

NO IMPACT

(0 POINTS)

RATING SCORE

The nature and extent of the PII

used or disclosed

Unauthorized use or disclosure of electronic PII (W.

Va. Code § 46A-2A-101 - An individual’s first name or

first initial and last name in combination with SSN,

driver’s license/State ID card, financial account

numbers).

Unauthorized use or disclosure of unsecured

Protected Health Information (PHI).

Unauthorized use or disclosure of electronic

PII associated with an individual (Excludes

PHI).

Unauthorized use or disclosure with no sensitive

PII.

The unauthorized recipient of the

use or disclosure (or who illegally

obtained the PII).

Untrusted/Unknown recipient.

Lost or stolen.

Trustworthy recipient- for example, an

individual with contractual obligations to the

department, or has confidentiality obligations

– such as an attorney or medical professional.

Trusted recipient - for example, a member of the

workforce.

Disposition of Unauthorized Use or

Disclosure. Assess what happened

after the initial use or disclosure of

PII?

PII was acquired.

Cyber Incident.

Obtained for personal gain/malicious harm.

PII was viewed/or partially viewed but not

acquired.

PII was not viewed or acquired.

The extent to which the risk to the

PII has been mitigated.

No mitigation.

Unable to retrieve PII.

Unsure of disposition or location.

PII is pending re-disclosure or already re-disclosed.

No security controls.

Security controls such as password or encryption

were compromised.

We have good-faith reason to believe that the

PII has not and will not be used or disclosed.

PII destroyed, but not confirmed.

Electronically deleted, but not confirmed.

We have good-faith reason to believe that the

PII has not and will not be used, disclosed, or

retained.

Data wiped.

Information/device meets security control

standards.

Any other factors or information which can assist in determining whether the PII was compromised:

NEXT STEPS…

STEP 3: CATEGORIZE FACTOR RATINGS POINTs:

Total score of 7 or 8 = High Risk: PII has been compromised.

Total score of 5 or 6 = Medium Risk: PII may have been compromised.

Total score of 4 or less = Low Risk or No Impact: There is likely a low risk of compromise or no impact.

STEP 4: IS NOTIFICATION REQUIRED?

EXAMPLE 1: STOLEN (OR LOST) LAPTOP

Laptop was recovered

Forensic analysis shows the PII was not accessed,

altered, transferred or otherwise compromised

EXAMPLE 2: UNAUTHORIZED DISCLOSURE

Unauthorized disclosed of PHI to a 3rd party who acquired

the data and plans to re-disclose the data to a marketing

company

The data file was unsecured

The data file contained unredacted electronic data

consisting of patient names, patient addresses and

diagnosis information

• A Covered Entity (CE) must mitigate (to the extent practicable) any harmful effect that is known to the CE of a use or disclosure of PHI that is in violation of its policies or procedures (or the privacy rule) by the CE or its Business Associate (BA).

MITIGATE

• A hospital discovers that the medical records of a VIP inpatient

have been accessed by numerous members of its work force by

bypassing certain IT firewalls that had been created to prevent

such access.

SCENARIO 2

• A recently hired medical records clerk at a psychiatric practice fails to secure

the medical records in the medical records file cabinet on a Friday afternoon.

That weekend, a group of painters who are painting the office see the

records, make copies of them, and take them to a local restaurant that

evening where they share them with other patrons. Upon hearing of this

incident on Monday morning, the practice’s office manager realizes that the

clerk failed to receive any training on security lock-up procedures for

medical records, and that no policies or procedures have been prepared

regarding work force training, mitigation of improper disclosures, or work

force sanctions. No privacy official has been appointed by the practice.

SCENARIO 3

• A pharmacy benefit manager (PBM) serves as a BA to your

organization’s sponsored group health plan. As required by the

privacy rule, the PBM and your organization (CE) have entered

into BA agreements. One morning, a customer service

representative inadvertently faxes PHI to the wrong fax number.

After realizing the mistake, the rep immediately notifies the

PBM’s privacy official of the error.