www.garfunkelwild.com

We’ve Had A Breach – We’ve Had A Breach – Now What?Now What?

Garfunkel Wild, P.C.Garfunkel Wild, P.C.411 Hackensack Avenue411 Hackensack Avenue

66thth Floor FloorHackensack, New Hackensack, New

Jersey 07601Jersey 07601

667 Broadway667 Broadway

Albany, New York Albany, New York 1220712207

111 Great Neck Road111 Great Neck RoadSuite 600Suite 600

Great Neck, New York Great Neck, New York 11021 11021

350 Bedford Street350 Bedford StreetSuite 406ASuite 406A

Stamford, Connecticut Stamford, Connecticut 06901 06901

Andrew E. Blustein, Esq.Andrew E. Blustein, Esq.ablustein@garfunkelwild.com

(516) 393-2218(201) 883-1030(203) 316-0493

2 © 2015 GARFUNKEL WILD, P.C.

Breach NotificationBreach Notification

Under HITECH, a Covered Entity (“CE”) is required to Under HITECH, a Covered Entity (“CE”) is required to NOTIFY patients of Breaches of unsecured protected health NOTIFY patients of Breaches of unsecured protected health information.information.

In addition, a CE must inform the Office of Civil Rights In addition, a CE must inform the Office of Civil Rights (“OCR”) of such Breaches either in an annual report or, if (“OCR”) of such Breaches either in an annual report or, if such Breaches involve such Breaches involve more than 500 peoplemore than 500 people, , immediatelyimmediately in writing. in writing.

• NoteNote: Breaches involving more than 500 people will be : Breaches involving more than 500 people will be posted on the Department of Health and Human posted on the Department of Health and Human Services’ websiteServices’ website

If such Breaches involve If such Breaches involve less than 500 peopleless than 500 people, CEs must , CEs must inform OCR of such breaches in an annual report inform OCR of such breaches in an annual report

3 © 2015 GARFUNKEL WILD, P.C.

Breach DefinitionBreach Definition

A Breach is an unauthorized access, use or A Breach is an unauthorized access, use or disclosure of unsecured PHI that disclosure of unsecured PHI that compromises the unsecured PHI. compromises the unsecured PHI.

An unauthorized access, use or disclosure An unauthorized access, use or disclosure of unsecured PHI is considered to be a of unsecured PHI is considered to be a Breach Breach unless the Covered Entity can unless the Covered Entity can demonstrate, through a written risk demonstrate, through a written risk assessment, that there was a low assessment, that there was a low probability that the information was probability that the information was compromisedcompromised. .

4 © 2015 GARFUNKEL WILD, P.C.

Breach NotificationBreach Notification

When a potential Breach is identified it When a potential Breach is identified it must be investigated to determine the must be investigated to determine the cause and extent of breach.cause and extent of breach.

Consider opportunities to mitigate.Consider opportunities to mitigate.

5 © 2015 GARFUNKEL WILD, P.C.

Breach NotificationBreach Notification

A CE must send written notification to affected A CE must send written notification to affected individuals by individuals by first-class mail without first-class mail without unreasonable delay and in no case later than 60 unreasonable delay and in no case later than 60 calendar dayscalendar days after the Breach is discovered by after the Breach is discovered by the CE.the CE.

A Breach is considered to be discovered when the A Breach is considered to be discovered when the incident becomes known (incident becomes known (or should have become or should have become known with reasonable diligenceknown with reasonable diligence), not when the ), not when the CE concludes the investigation. CE concludes the investigation.

6 © 2015 GARFUNKEL WILD, P.C.

Content of NoticeContent of Notice

The notice to the affected patients must include at least the The notice to the affected patients must include at least the followingfollowing: : • A brief description of what happened (A brief description of what happened (e.g.e.g., date of the breach, , date of the breach,

date of the discovery of the breach)date of the discovery of the breach)

• A description of the types of unsecured PHI that were involved A description of the types of unsecured PHI that were involved in the breachin the breach

• Any steps individuals should take to protect themselves from Any steps individuals should take to protect themselves from potential harm resulting from the breachpotential harm resulting from the breach

• A brief description of what the CE involved is doing to A brief description of what the CE involved is doing to investigate the breach, to mitigate the harm and to protect investigate the breach, to mitigate the harm and to protect against any further breachesagainst any further breaches

• Contact procedures for individuals to ask questions or learn Contact procedures for individuals to ask questions or learn additional information (additional information (i.e.i.e., toll free telephone number which , toll free telephone number which must remain active for at least 90 days) must remain active for at least 90 days)

Note: Also need to comply with applicable state lawsNote: Also need to comply with applicable state laws

7 © 2015 GARFUNKEL WILD, P.C.

HITECH ActHITECH ActSubstitute NoticeSubstitute Notice

If there is insufficient contact information for some If there is insufficient contact information for some of the affected individuals of the affected individuals or some notifications are or some notifications are returned undeliverablereturned undeliverable, the CE must provide , the CE must provide substitute notice for the unreachable individuals substitute notice for the unreachable individuals ((e.g.e.g., if greater than 10 individuals, conspicuous , if greater than 10 individuals, conspicuous notice on the home page of the CE’s website for at notice on the home page of the CE’s website for at least 90 days least 90 days oror conspicuous notice in prominent conspicuous notice in prominent media outlets serving the State or jurisdiction media outlets serving the State or jurisdiction where most of the affected individuals reside)where most of the affected individuals reside)

Breaches Involving Breaches Involving 500 or More Individuals500 or More Individuals

If there is a breach involving more than 500 If there is a breach involving more than 500 individuals, in addition to providing direct individuals, in addition to providing direct notification to the affected individuals, the CE notification to the affected individuals, the CE mustmust also post notification of the Breach on the home also post notification of the Breach on the home page of its website page of its website andand, through a press release, , through a press release, inform prominent media outlets serving the State or inform prominent media outlets serving the State or jurisdiction where individuals affected likely reside. jurisdiction where individuals affected likely reside. Such notifications must include the same Such notifications must include the same information required for the individual notice.information required for the individual notice.

83140792 © 2013 GARFUNKEL WILD, P.C.

9 © 2015 GARFUNKEL WILD, P.C.

MitigationMitigation

Consider opportunities to mitigateConsider opportunities to mitigate• Obtain written assurances that person who received Obtain written assurances that person who received

information deleted it and didn’t share itinformation deleted it and didn’t share it

• Offer credit monitoring servicesOffer credit monitoring services

• Take appropriate disciplinary action against employeesTake appropriate disciplinary action against employees

• Retrain staffRetrain staff

• Modify processes and implement new safeguards to Modify processes and implement new safeguards to prevent future breaches (e.g. fax numbers on speed prevent future breaches (e.g. fax numbers on speed dial, encrypted CDs, laptops, and thumb drives)dial, encrypted CDs, laptops, and thumb drives)

• Conduct additional audits on employeesConduct additional audits on employees

10 © 2015 GARFUNKEL WILD, P.C.

Risk AssessmentRisk Assessment

If a CE determines that a Breach has not If a CE determines that a Breach has not occurred, the CE must document a risk occurred, the CE must document a risk assessmentassessment

• Risk assessments should be documented when Risk assessments should be documented when breach occurred as well (not required but OCR breach occurred as well (not required but OCR may ask for this documentation)may ask for this documentation)

The burden of demonstrating that no The burden of demonstrating that no notice is required for a given Breach is on notice is required for a given Breach is on the CEthe CE