This training program will discuss the origin of the HIPAA Breach Notification Rule, how it works, including interactions with other HIPAA rules and penalties for violations. It will also explain how to create the right breach notification policy for your organization and best practices to follow through when an incident occurs.
Why Should You Attend:
The HIPAA Breach Notification Rule has been in effect since 2010 and was significantly modified in 2013. We will discuss the origins of the rule and how it works, including interactions with other HIPAA rules and penalties for violations. Whenever there may be a privacy issue involving Protected Health Information, there may be a reportable breach under the HIPAA regulations. Not all privacy violations are reportable breaches, though, so it is essential to have a good process for evaluating incidents to see if they have resulted in a reportable breach.
Any privacy rule violation that results in an acquisition, access, use, or disclosure of PHI in violation of the HIPAA Privacy Rule may be a breach, unless the incident is one of the defined exceptions from the definition. A breach is reportable unless the information was secured or destroyed in the incident, or unless a risk analysis shows that there is a low probability of compromise of the information, based on at least four factors defined in the rules.
We will examine how to determine if a privacy violation is potentially a breach according to the definition, and then describe the subsequent steps in the evaluation, if it is determined that the definition has been met. We will discuss the exceptions to the breach definition for inadvertent internal uses, or when it can be determined that the information could not be retained in any way by the receiving party.
Entities can avoid notification if information has been encrypted according to Federal standards. We will cover the guidance from the US Department of Health and Human Services that shows how to encrypt so as to prevent the need for notification in the event of lost data. Failing that, a risk analysis can be conducted to determine the probability of compromise of the information, considering four factors: what the data is and how well identified it is, to whom was it released and do they have obligations to protect the information, whether or not the information actually exposed, and whether or not the incident has been mitigated properly. However, it must be noted that any compromise of the information by Ransomware that denies access or control of your information should be treated as a reportable breach.
In addition, any reporting must be made within the required time frames, or penalties can result, as shown in recent enforcement actions by HHS for late reporting of breaches.
We will discuss how to create the right breach notification policy for your organization and how to follow through when an incident occurs. In addition, a policy framework to help establish good security practices is presented.
We will help you understand what isn’t a breach and under what circumstances you don’t have to consider breach notification. You’ll find out how to report the smaller breaches (less than 500 individuals), and you’ll know why you want to avoid a breach involving more than 500 individuals – media notices, Web site notices, and immediate notification of HHS, including posting on the HHS breach notification “wall of shame” on the Web.
We will explain, based on historical analysis of reported breaches, what measures must be taken today to protect information from the most common threats, as well as discuss information security trends and explain what kinds of efforts will need to be undertaken in the future to protect the security of PHI.
Areas Covered in the Session:
• The definition of a Breach under HIPAA
• Evaluating the Privacy violation
• Reviewing the exceptions to the definition of a breach
• What is good enough encryption according to the rules
• Performing the Risk Analysis to determine the necessity to report
• Ransomware and Breaches – When to Report
• Avoiding Breaches
• The most common causes of breaches
• Reporting breaches to HHS and the individuals
• Reporting breaches to the press and other agencies
• Documenting your analysis and decisions
Who will benefit/Target audience:
This webinar will provide valuable assistance to all personnel in:
Medical offices, practice groups, hospitals, academic medical centers, insurers, business associates (shredding, data storage, systems vendors, billing services, etc). the titles are
Physical CD-DVD of recorded session will be despatched after 72 hrs on completion of payment
Recorded video session
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C. Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, bestselling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.