Helen conducting Workshop for NJHA Members on “Managing a HIPAA Breach from Beginning to End”

by | Dec 11, 2018

OVERVIEW:

This half-day workshop is intended to provide attendees with detailed and instrumental guidance and tools to assist organizations with evaluating and responding to security incidents and breaches which compromise protected health information (PHI) and personal information (PI). Topic that will be covered include:

  • Key Terms under HIPAA and the New Jersey Identity Theft Prevention Act (NJITPA):
    • A detailed review of definitions of: “Breach” “Security Incident” “Protected Health Information” “De-Identified Data” “Personal Information”
    • Using working examples, discussion on how these definitions materially affect analysis of if a security incident rises to the level of a legal “Breach”, and if notification or other response is required.
    • Why it is critical that these terms which appear in HIPAA BAA track legal definitions.
  • The HIPAA Breach Risk Assessment
    • “Safe Harbors: Unintentional”; “Inadvertent”; Not “Reasonably Retained”. Overview of the statutory carve-outs which permit a conclusion of “No Breach”.
    • Evaluating “Low Probability” PHI Compromised. Detailed discussion of HHS’s guidelines on how to evaluate the “low probability” threshold in a consistent  Overview of the Four Factors critical to this assessment, and how to evaluate the Four Factors in a consistent manner. A deep dive into:
      • Nature and Extent of Data (minimal PHI? de-identified data?  LDS?)
      • Nature of Recipient/Unauthorized Individual (cooperative vs uncooperative individuals; individuals who extort and review of HIPAA’s criminal provisions (i.e., what to put in a “demand letter” for return of PHI))
      • Determining if PHI was “Acquired” or “Viewed” (forensics; HHS’s guidance regarding whether deployed ransomware is a de facto “Breach”)
      • Mitigation (what steps need to be taken for “full mitigation”; sanitization of external devices and accounts that may have transmitted and/or housed Breached PHI; legal intervention (NJ case w/ successful injunction). [HANDOUTS: Certification to Destroy ePHI; Confidentiality Agreement with 3rd Party re: No Re-Disclosures].
    • Step-by-Step work through of example Breach cases using Oscislawski LLC’s Low Probability Assessment Tool to apply the Four Factor test and calculate a “Low Probability Score”. Discussion of how to use the Low Probability Score in final evaluation and determination of whether a Breach is “reportable” (i.e., notices required). [HANDOUT: Breach Risk Assessment Tool].
  • Breach Response
    • Calculating Breaches of “500 or More” affected Individuals.
      • How to respond when BA’s Breach affects PHI of multiple Covered Entities (i.e., HHS guidance on how to calculate the total number of individuals (i.e., per Covered Entity).
      • How to calculate # of individuals affected by State/Jurisdiction for purposes of Media Notices.
    • Breach Notification requirements and other obligations of a Covered Entity, including:
      • Notices to HHS (immediate vs. annual);
      • Notification to Individual (incl. State Law considerations);
      • Notification of Media (what is required? and the 500 Individuals per/Jurisdiction threshold).
    • Breach Prevention
      • Security Audits and automated technological solutions to identify issues in advance
      • Strong and detailed Breach Policies and Procedures [HANDOUT: Sample Breach P&P (w/NJ Law]
      • Workforce Acknowledgement and Agreement [HANDOUT]

 

REGISTER:  for registration inquiries, please contact HRET at:HRETEducation@njha.com or 609-275-4181.  Further detail to be released soon. Visit

 

SHARE THIS: