CHPC Study Group

C&C...Scenarios from the Field

  • 1.  C&C...Scenarios from the Field

    Posted 05-30-2020 09:24 AM
    Scenario:
    A privacy officer is sharing with the HIPAA Compliance Committee that there was evidence that a recent ransomware attack did result in the exfiltration of data which contained PHI from the company's server.  The analysis did show that the PHI of 23,456 individuals was involved.  Because an earlier version of the exfiltrated file was backed up the night before, it was very easy to identify all of the individuals involved. the The Privacy Officer led a risk assessment (they used the LoProCo method) and half of the 8 members of the committee voted that the incident represented a breach and the other half voted of the committee voted it was not a breach.

    The privacy officer indicated that though the "bad news" was that the committee was deadlocked on whether it was or was not a breach, the "good news" was that at least they would not need to spend any time or money on mailings, notice to the media, or having to post a notice on the organization's website.

    Question...under what circumstances or conditions would this statement by the privacy officer be true?

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------
    Certification Disclaimer


  • 2.  RE: C&C...Scenarios from the Field

    Posted 05-30-2020 09:48 AM
    My guess is that if the PHI was encrypted rendering the information inaccessible, unreadable and unusable.

    ------------------------------
    Melanie Schoonover, MS, CRC, CHC
    Quality Assurance Supervisor
    ------------------------------

    Certification Disclaimer


  • 3.  RE: C&C...Scenarios from the Field

    Posted 05-30-2020 10:04 AM

    I'm going to say that the data was secured...meaning encrypted in a fashion aligned with the regulations so that even though it might have been a breach, there was no way the patient data could be "read". This meets one of the exceptions to the beach analysis rules.

     

    Best Regards,

    Scot Lovejoy   

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, 2nd Floor East

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

    No copyright infringement intended.

     

     




    Certification Disclaimer


  • 4.  RE: C&C...Scenarios from the Field

    Posted 05-30-2020 11:11 AM
    The data was encrypted at rest?

    ------------------------------
    Heidi Lourey
    Compliance Officer
    ------------------------------

    Certification Disclaimer


  • 5.  RE: C&C...Scenarios from the Field

    Posted 05-30-2020 11:17 AM

    I would say this would be true if the PHI was encrypted and could not be accessed (read), used or disclosed. And if they had a recent back up, the availability of the PHI was not an issue to continue to work.

    Vicky

     

    Vicky Roe, RN CHC CPMA

    Clinical Auditor

    Southeast Georgia Health System, Inc.

    2415 Parkwood Drive, Brunswick, GA 31520

    Office:  (912) 466-3264   Fax:  (912) 466-7044    Emailvroe@sghs.org

     

    This e-mail and any attachments may contain privileged and confidential information and are for the sole use of the intended recipient. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this in error, please contact the sender by telephone or e-mail immediately and destroy all copies of the original immediately.   "noscramble" means the email is being sent unencrypted

     

     




    Certification Disclaimer


  • 6.  RE: C&C...Scenarios from the Field

    Posted 05-30-2020 11:25 AM
    The PHI was encrypted at rest and falls under the no-reporting exception of the Breach Notification section of HIPAA.  In addition, the loss of time and data entered after the backup could be recreated, so the loss of availability was deemed acceptable.  There was a breach, but not reportable.

    ------------------------------
    Lloyd Hemmert
    Compliance & Ethics Officer
    Hill Country MHDD Centers
    Kerrville,TX
    [lhemmert@hillcountry.org]
    ------------------------------

    Certification Disclaimer


  • 7.  RE: C&C...Scenarios from the Field

    Posted 05-31-2020 09:38 AM
    Well done.  Too bad some of our colleagues did not have the benefit of your answers to this question in a situation that inspired this scenario.

    More scenarios to follow.

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    ------------------------------

    Certification Disclaimer