Breach Notification Rule

00:00

once more unto the breach, dear friends once more or close the wall up with our English dead in peace, there's nothing so becomes a man has modest stillness and humility. But when the blast of war blows in our ears than imitates the action of the Tiger. Beautiful words from Henry, the fifth spoken by King Henry, written by William Shakespeare

00:17

and you to my friends. Once more unto the breach, we will go into the lecture

00:21

on the breach notification rule the hipper requirements of when your protected health information has been leaked or stolen and in the wild, what do you required to do next and yes, imitating the action of the tiger, Mr Shakespeare is very appropriate.

00:34

So in today's lecture, we will be defining what it breaches and the rules surrounding the unauthorized access of data that hasn't been de identified. I e unsecured protected health information and we will be reviewing the requirements covered entities and business associates must provide on the notification requirements of a breach involving unsecured protected health information.

00:52

We will look at the different notification requirements, such as notifying the individual that there is a chance their info is in the wild

00:58

when to notify the press and local local media, not a Facebook post you wanna put out there, my friends and how you actually have to notify the secretary of HHS. You think Shakespeare has a lock on plays involving tragedy? Imagine that phone call. And when we will learn about the burden of proof, which is covered, entities have the burden of demonstrating that all required notifications

01:17

have been provided or the use or disclosure of un unsecured pH. I did not reach the requirements of being a breach.

01:25

So we have these great users. They're not clowns anymore because we have your amazing security management program. And then it's not a matter of if, but of when. And a data breach still occurs. So it breaches the impermissible use or disclosure under the privacy rule that comprises the security and privacy of the protected information. And the extent of the breach is based on the risks of the following criteria.

01:44

How much personally identifiable information was in the record or records and the likelihood of there being enough enough information to identify the individual,

01:51

the unauthorized person who used the P. H. I or whom the disclosure was made. I e. Another doctor without intent or a bad guy who has the reputation of being an evil cyber clown was the record. Or where the records actually viewed to the recipient of the email that had the pH I included actually opened the email Or did it end up in the spam folder

02:09

and what efforts to

02:10

two were used to minimize the risk that were made by the person, persons or organizations involved? The healthcare partner immediately retracted the email. All copies of the known email were deleted, and all possible parties of the breach were notified to minimize the risk.

02:25

So breach notification is why you are informed and hear in the news about some company had a breach in thousands of not hundreds of thousands of records were lost and now likely on sale on the dark Web breach. Notification is such a big deal from a regulatory perspective, and there is so much to it. I can't cover it all in a single slide or a single lecture, so you will have to do some

02:44

homework in your cyber, a supplemental learning included in this course.

02:47

The HIPPA regulations require all covered entities to notify the individual group of individuals the Public i e. A press statement of the non secure release of the Protected Health Information Records

02:58

covered entity always notifies the individual via first class mail or via email that their information might be in the clear. So take precautions. And if more than 500 individual records were exposed, a press release is required. If a breach exceeds 500 individuals, you have to notify the secretary of HHS within 60 days.

03:15

Otherwise, your organization will submit their breach notifications

03:19

in an annual submittal online at HHS. If a record was disclosed without permission by a business associate, a company that helps your hospital with the building, for example, the business associate has to notify you your hospital that covered entity within 60 days. And the HIPPA regulations require you to have the administrative requirement of the burden of proof,

03:37

a fancy way of saying you have to show with documentation

03:39

that you properly followed the rules for every breach, notification with records and when and how you did so.

03:46

So the problems surrounding breach is all about the release of what we call unsecured protected health information so What the heck is that?

03:52

Unsecured means really three things. Unsecured data is data that hasn't been de identified. The reduction of enough of those 18 fields of data in a record so that we can no longer recognize the individual or the data has not been rendered unreadable through some type of obfuscation, method or technology, like encryption or the media itself that the data is on, like paper or photographs, emery images or storage media like hard drives.

04:15

Well, the stuff has not been properly disposed. So one way or another, if this unsecured data is accessed by an unauthorized individual, we might have a breach. And remember that just because it's been accessed or looked at by an unauthorized person doesn't mean that the breach has occurred and we have to start the notification process. A doctor who doesn't require access to the record but has looked at it anyway

04:33

might not be a likely candidate for leaking the data.

04:36

It all depends on what the who the likelihood of misuse and abuse breach is all about the possible intent.

04:43

So, following a breach of unsecured pH. I covered entities and business associates required to perform the proper breach notification. So let's break that down. Individual notices provided in written form by first class mail or or by email If the affected individual has agreed to receive such notices, Elektronik Lee

04:59

if they covered entity is insufficient or out of date information for 10 or more individuals,

05:02

the covered entity must post the notice on its home page of its website for at least 90 days or providing the notice a major print and broadcast media where the affected individuals reside and these actions have to happen within a reasonable time frame from within the breach within the 1st 60 days if the breach was allowed by a business associate.

05:19

While the covered entity is ultimately responsible for ensuring the individuals were notified,

05:24

the covered entity may delegate the responsibility of individual notice to the business associate. Now, folks remember this. It's about the number 500 if a covered entity experiences a breach affecting more than 500 residents of a state or jurisdiction. In addition to notifying the individuals that covered entity is required to provide

05:41

noticed a prominent media outlets serving the state of jurisdiction.

05:45

This will likely be in the form of a press release by the covered entity. Like the individual notice, media notice is required to occur within a reasonable time frame. No light, no later than 60 days of breach discovery. Now here's the big one. So take a deep breath because this one's going to punch you in the solar plexus. In addition to notifying the individual in the media, if we reached the 500 person threshold

06:04

I covered, Entity must notify the Secretary of HHS

06:08

of the breach of unsecured ph I within the 1st 60 days. This notification will be done be the HHS website and filling out an Elektronik breach report form. I don't know about you, but I don't wanna be the individual who has to Elektronik Lee signed the Breach Notification Forum on the HHS website. I am just so glad that our program will have all its act

06:27

acts together in our Greek tragedy. Well written and well rehearsed,

06:30

our program is going to win the Tony Award for best security comedy and not the worst security tragedy in the last few concept someone to cover regarding breach, notification of the administrative requirements and burden of proof surrounding notification as a covered entity. You must document appropriately that they performed individual media and secretary breach Notifications

06:47

were done and completed were applicable. Or you must meet the burden of proof that the data was breached was not sufficient to identify the individual or those that would access it are not likely to take advantage of the data or something to that effect.

07:00

Not enough occurred to meet the definition of a breach. Now, remember, in the omnibus rule, the O and B update said that two fields of data were enough to meet the breach notification standards. So the covered entity is better off being forthright and sharing, then put up a fight and wanting about it after the breach. Damage has already been done,

07:15

and all covered entities are required to have the appropriate breach notification, policies, procedures and employee training.

07:21

This is what we do when it reached occurs and who and how we notify and what our employees role is in it. And what will the penalties and sanctions be if the employee doesn't follow these policies and procedures? Because after all, this is where the rubber meets the road on our hip, a car driving off the cliff

07:36

So now we've learned more than we wanted to about breach notification. It's time to write a 100 page sonnet on breach and the Internet age and make sure you're writing in iambic pentameter. I don't know what that is. It's just always sounded really cool. So what are the three types of breach notification, and when are they required?

07:50

Well, you have individual notification, always within 60 days of the breach and in snail mail or email form, depending on what the individual has signed up for. Don't forget about the covered entities Home page posting. If they don't have addresses for 10 persons or more,

08:03

the media has to be well notified of. More than 500 unsecured records were exposed, usually in the form of press notice of repressed notice on. The secretary of HHS is always notified, and a Shakespeare said, the fear is, is bad is falling. But for our security program and our roles as leaders, well, we will be just and fear not

08:24

so in today's lecture, we talked defining a breach and being the disclosure of unsecured protected health information unless the covered entity or business associate demonstrates that there is a low probability that the pH I has been compromised reviewed the breach notification requirements of individuals, media and the secretary of HHS and when notification is required.

08:41

And we reviewed how we have to have policies, procedures and employee training and sanctions

08:46

around breach notification. In our next lecture, we will dig deep into the data sharing and responsibilities within our business partner and business associate agreements.

08:54

So thanks for sitting in with us today and listening to us Quote from Shakespeare and the requirements of breach notification. And you thought you had a problem. Sleeping boy did reading Shakespeare sonnets put me to sleep. I barely made it through my acting class and we won't even talk about what I looked like in Romeo's leotards and costume. Now that requires media notification.

09:11

We apologize here cyber for putting your instructor in costume. Ouch! Really ugly. So on behalf of all of us here, Sai Buri, thanks so much.