[ Thursday, April 10, 2014 ]
Jeff [12:16 PM]
I'm listening to Kristen Rosati talk on "Anatomy of a Health Care Data Breach at the UT's Health Law CLE seminar. A couple of key points on hands-on dealing with a breach:
- No definition of "compromise"
- If misdirected email, recipient agrees to delete, and you can "document the heck out of it," probably don't need to report it.
- Risk analysis should document analysis of each factor if determining that reporting isn't required.
- Prepare in advance for a breach: who needs to be involved, including a committee of stakeholders; maybe lawyer (especially outside counsel) to protect attorney-client privilege;
- Move quickly to interview appropriate folks, including law enforcement if applicable;
- Implement correction action, even before correction action starts (map the steps out and follow up on them)
- Mitigate, fix, retrain, and document every step
- Fix within 30 days -- if no "willful neglect," it gives you an affirmative defense
- Make sure your notice has all of the specific regulatory requirements, especially once Marketing changes it
- Notification to media also has to be within reasonable time, but not necessarily at same time as notice to individuals (can give individuals a little advance notice to manage relationships)
Look at your BAAs and make sure notice responsibility from BAs is clear, including who go report to (regular "notice" provision probably isn't right, you want them notifying the Privacy Officer). Also, BA reporting time is subsumed into CE's reporting, so it should definitely be shorter than 60 days (hopefully within time for CE to meet the 30-day response for an affirmative defense). BA's might want to keep a matrix of their reporting obligations under all of their different BAAs.
OCR reviews the 500+ breach reports daily and regional offices confirm that entity actually submitted the report. If you get that call from OCR, you should already be working with your response team. Even though OCR folks are nice, it is a formal investigation, so keep a record of your communications with OCR.
State AG penalties are capped at the old $25,000 level, not the new $1.5 million level. Each individual and each day of violation count as separate violations (you get to $1.5 million quickly), and one act can violate more than one requirement.
On the flight down, I read HCCA's monthly magazine, and saw a Privacy Officer refer to "LoProCo" as shorthand for "low probability of compromise;" I will use that handle.
Blogger: HIPAA Blog - Edit your Template