bmad-plus 0.4.4 → 0.6.0

package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md

@@ -0,0 +1,293 @@
+# HIPAA Breach Notification Rule Reference
+## 45 CFR Part 164, Subpart D (HITECH / 2009)
+
+---
+
+## Table of Contents
+1. [What is a Breach?](#1-what-is-a-breach)
+2. [Breach Risk Assessment (4-Factor Test)](#2-breach-risk-assessment-4-factor-test)
+3. [Notification to Individuals](#3-notification-to-individuals)
+4. [Notification to HHS](#4-notification-to-hhs)
+5. [Notification to Media](#5-notification-to-media)
+6. [Business Associate Obligations](#6-business-associate-obligations)
+7. [Documentation Requirements](#7-documentation-requirements)
+8. [Penalties & Enforcement](#8-penalties--enforcement)
+9. [Breach Response Workflow](#9-breach-response-workflow)
+10. [Common Breach Scenarios](#10-common-breach-scenarios)
+
+---
+
+## 1. What is a Breach?
+
+### Definition (§164.402):
+A **breach** is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.
+
+### Three Exceptions — These Are NOT Breaches:
+1. **Unintentional access** by workforce member acting in good faith within scope of authority — if no further use/disclosure
+2. **Inadvertent disclosure** between authorized persons at the CE/BA — if no further use/disclosure
+3. **Good faith belief** that unauthorized person who received PHI could not have retained it (e.g., misdirected fax that was immediately returned/destroyed)
+
+### Presumption:
+**Assume it's a breach unless the CE/BA demonstrates low probability that PHI has been compromised** using the 4-Factor Risk Assessment.
+
+---
+
+## 2. Breach Risk Assessment (4-Factor Test)
+### §164.402(2)
+
+To rebut the presumption of a breach, document a risk assessment considering:
+
+### Factor 1: Nature and Extent of PHI Involved
+- What types of identifiers were included?
+- Was financial information involved (SSN, credit card, bank account)?
+- Was clinical information included (diagnosis, treatment, medication)?
+- Higher sensitivity = higher likelihood of compromise
+
+### Factor 2: Who Unauthorized Person Was
+- Was it another CE or BA (who would understand privacy obligations)?
+- Was it a member of the public?
+- Was it a malicious actor vs. inadvertent recipient?
+- Known or unknown recipient?
+
+### Factor 3: Whether PHI Was Actually Acquired or Viewed
+- Did the unauthorized person actually access the information?
+- Was the email read? Was the USB drive opened?
+- Technical evidence (email delivery receipts, server logs)?
+- Attestation from recipient that they did not view/retain?
+
+### Factor 4: Extent to Which Risk Has Been Mitigated
+- Was the PHI retrieved/destroyed?
+- Did recipient sign a confidentiality agreement?
+- Did recipient provide credible assurance of destruction?
+
+### Assessment Outcome:
+- **Low probability of compromise** → Not a reportable breach (document your reasoning thoroughly)
+- **Cannot demonstrate low probability** → Treat as reportable breach
+
+> **Important**: HHS scrutinizes risk assessments. Document contemporaneously, thoroughly, and honestly. A weak or post-hoc justification is worse than treating the incident as a breach.
+
+### Safe Harbor — Encryption:
+If PHI was **encrypted** using NIST-approved methods AND the encryption key was not also compromised → **Not a reportable breach** (§164.402(2) exception).
+- Acceptable: AES-128+, NIST FIPS 140-2 validated
+- Must maintain documentation of encryption
+
+---
+
+## 3. Notification to Individuals
+### §164.404
+
+### Timeline:
+**Without unreasonable delay AND within 60 calendar days** of discovery of the breach.
+
+Discovery = when CE/BA knew or should have known of the breach (not when investigation concludes).
+
+### Method:
+- **First choice**: Written notice by **first-class mail** to last known address
+- **If email on file and individual agreed to electronic notice**: Email acceptable
+- **If contact info insufficient or out-of-date** (10+ individuals): Substitute notice:
+  - Prominent posting on website homepage for 90 days + toll-free number, OR
+  - Major print/broadcast media in affected area
+- **Urgent situations** (imminent misuse risk): Phone or other means in addition to written notice
+
+### Required Content of Individual Notice (§164.404(c)):
+1. Brief description of what happened (date of breach, date of discovery if known)
+2. Description of types of PHI involved
+3. Steps individuals should take to protect themselves
+4. Brief description of what CE is doing to investigate, mitigate, and prevent recurrence
+5. Contact info (toll-free number, email, website, or postal address)
+
+---
+
+## 4. Notification to HHS
+### §164.408
+
+### Timeline Depends on Breach Size:
+
+| Affected Individuals | HHS Notification Deadline |
+|---------------------|--------------------------|
+| **500 or more** in a state/jurisdiction | **Simultaneously with individual notice** (within 60 days of discovery) |
+| **Fewer than 500** | **Annual log** — submit within 60 days after end of calendar year |
+
+### How to Submit:
+- HHS Breach Reporting Portal: www.hhs.gov/hipaa/for-professionals/breach-notification/
+- Breaches of 500+ are posted on HHS "Wall of Shame" (public)
+
+### Required Information for HHS Report:
+- Name of CE
+- Contact information
+- Type of breach (theft, loss, unauthorized access/disclosure, hacking, improper disposal, other)
+- Location of breached information (laptop, paper, EHR, email, other)
+- Number of individuals affected
+- Date of breach
+- Date of discovery
+- Description of PHI types involved
+- Description of safeguards in place
+- Actions taken in response
+
+---
+
+## 5. Notification to Media
+### §164.406
+
+### Required When:
+Breach affects **500 or more residents** of a **state or jurisdiction**.
+
+### Timeline:
+Without unreasonable delay and within **60 calendar days** of discovery.
+
+### Method:
+Notify prominent media outlets serving the affected state/jurisdiction (e.g., major newspaper, TV station).
+
+### Content:
+Same as individual notification content.
+
+> Note: Media notification is IN ADDITION to individual and HHS notification — not a substitute.
+
+---
+
+## 6. Business Associate Obligations
+### §164.410
+
+### BA Must Notify CE:
+- **Without unreasonable delay** and within **60 calendar days** of discovery
+- BA discovery = when any employee, officer, or agent of BA knows (or should know)
+
+### What BA Must Provide to CE:
+- Identity of each individual affected (if known)
+- All information needed for CE to provide required notifications
+
+### CE Remains Responsible:
+- The CE must send notifications to individuals, HHS, and media
+- CE's 60-day clock runs from CE's discovery OR BA's notification (whichever is earlier)
+- CE and BA should establish clear breach notification obligations in BAA
+
+### BA-to-Subcontractor:
+- Subcontractors of BAs must notify the BA (same timeline)
+- Chain of notification flows up: Subcontractor → BA → CE
+
+---
+
+## 7. Documentation Requirements
+### §164.414
+
+### Must Maintain Documentation of:
+- Risk assessments for incidents (justifying breach vs. non-breach determination)
+- All notifications sent (copies)
+- Dates notifications were sent
+- Substitute notice postings
+- HHS reports submitted
+- Media notifications
+
+### Retention: 6 years from creation or last effective date
+
+### Best Practice — Incident Log:
+Maintain a running log of all security incidents (whether or not they rise to reportable breach level). Useful for:
+- Demonstrating Security Rule compliance (§164.308(a)(6))
+- Pattern identification
+- HHS investigations
+- Annual HHS small breach reporting
+
+---
+
+## 8. Penalties & Enforcement
+### HITECH / §160.404
+
+### Civil Money Penalties (CMPs):
+
+| Violation Category | Per Violation | Calendar Year Cap |
+|-------------------|--------------|-------------------|
+| Did not know (reasonable diligence) | $137 – $68,928 | $2,067,813 |
+| Reasonable cause (not willful neglect) | $1,379 – $68,928 | $2,067,813 |
+| Willful neglect — corrected | $13,785 – $68,928 | $2,067,813 |
+| Willful neglect — not corrected | $68,928 – $2,067,813 | $2,067,813 |
+
+> Note: Penalty amounts are adjusted annually for inflation (figures above are approximate 2024 levels).
+
+### Criminal Penalties (§1320d-6):
+- Knowingly obtaining/disclosing PHI: Up to $50,000 + 1 year imprisonment
+- Under false pretenses: Up to $100,000 + 5 years
+- With intent to sell/transfer/use for commercial advantage: Up to $250,000 + 10 years
+
+### State Attorneys General:
+- May bring civil actions for HIPAA violations on behalf of state residents
+- May obtain $100/violation, up to $25,000/year per violation category (pre-inflation)
+
+### HHS Enforcement Priorities (Historical):
+- Risk analysis failures (most common)
+- Access control deficiencies
+- Insufficient encryption (not implementing addressable standard)
+- Business Associate Agreement failures
+- Insufficient audit logging
+- Failure to timely notify of breaches
+
+---
+
+## 9. Breach Response Workflow
+
+```
+INCIDENT DETECTED
+      │
+      ▼
+STEP 1: CONTAINMENT (Immediate)
+- Isolate affected systems
+- Preserve evidence (logs, screenshots)
+- Prevent further unauthorized access
+- Assign incident response team
+      │
+      ▼
+STEP 2: INVESTIGATION (Days 1-14)
+- What PHI was involved? (types, quantity)
+- When did breach occur? When discovered?
+- Who was affected (individuals)?
+- How did breach occur?
+- Was encryption in place?
+      │
+      ▼
+STEP 3: RISK ASSESSMENT (Days 1-30)
+- Apply 4-Factor Test (see Section 2)
+- Document analysis contemporaneously
+- Determine: Reportable Breach or Not?
+      │
+      ├─ NOT A BREACH ──→ Document findings; close incident; review safeguards
+      │
+      ▼
+STEP 4: IF REPORTABLE BREACH
+      │
+      ├─ Notify INDIVIDUALS within 60 days of discovery
+      ├─ Notify HHS:
+      │    ├─ 500+ affected: Within 60 days of discovery
+      │    └─ <500 affected: Add to annual log; report by Mar 1 of following year
+      └─ Notify MEDIA if 500+ residents in a state/jurisdiction
+      │
+      ▼
+STEP 5: REMEDIATION
+- Address root cause
+- Enhance safeguards
+- Update policies/procedures
+- Retrain workforce
+- Update Risk Analysis
+      │
+      ▼
+STEP 6: DOCUMENTATION
+- Incident report with all details
+- Risk assessment documentation
+- Copies of all notifications sent
+- Remediation steps taken
+```
+
+---
+
+## 10. Common Breach Scenarios
+
+| Scenario | Breach? | Key Considerations |
+|----------|---------|-------------------|
+| Laptop with unencrypted PHI stolen | **Yes** (unless risk assessment rebuts) | Encryption safe harbor doesn't apply; document risk assessment |
+| Encrypted laptop stolen | **Likely not** | Confirm encryption was FIPS 140-2 compliant; document |
+| Email with PHI sent to wrong patient | **Risk assess** | Did recipient view it? Can they be contacted to confirm deletion? |
+| PHI mailed to wrong address | **Risk assess** | Was it returned unopened? Could recipient have retained it? |
+| Employee snoops on celebrity patient records | **Yes** | Workforce members are authorized users but this is impermissible access |
+| Ransomware encrypts ePHI | **Likely yes** | Access/acquisition occurred; must conduct risk assessment; difficult to rebut |
+| Vendor (BA) has breach | **Yes** | BA must notify CE; CE must notify individuals within 60 days |
+| PHI posted on social media by employee | **Yes** | Impermissible disclosure; high severity |
+| Paper PHI left in unsecured area briefly | **Risk assess** | Was it accessed? By whom? Mitigated? |
+| Verbal disclosure of PHI to wrong party | **Privacy Rule** (not Security Rule) | Breach Notification applies to PHI broadly, not just ePHI |

package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md

@@ -0,0 +1,276 @@
+# HIPAA Privacy Rule Reference
+## 45 CFR Part 164, Subparts A and E
+
+---
+
+## Table of Contents
+1. [Applicability & Scope](#1-applicability--scope)
+2. [Uses and Disclosures — General Rules](#2-uses-and-disclosures--general-rules)
+3. [Permitted Uses Without Authorization](#3-permitted-uses-without-authorization)
+4. [Patient Rights](#4-patient-rights)
+5. [Notice of Privacy Practices (NPP)](#5-notice-of-privacy-practices-npp)
+6. [Minimum Necessary Standard](#6-minimum-necessary-standard)
+7. [Authorization Requirements](#7-authorization-requirements)
+8. [Special Categories of PHI](#8-special-categories-of-phi)
+9. [Administrative Requirements](#9-administrative-requirements)
+10. [Marketing & Fundraising](#10-marketing--fundraising)
+
+---
+
+## 1. Applicability & Scope
+
+**Covered Entities (CEs)** subject to Privacy Rule:
+- Health plans (insurance companies, HMOs, employer-sponsored plans with 50+ participants)
+- Healthcare clearinghouses
+- Healthcare providers who transmit health information electronically
+
+**Business Associates (BAs):**
+- Entities that create, receive, maintain, or transmit PHI on behalf of a CE
+- Must sign a **Business Associate Agreement (BAA)** before PHI is shared
+- Subject to Security Rule; portions of Privacy Rule apply via BAA
+
+**PHI Definition** (§164.501):
+Protected Health Information = health information that:
+- Is created or received by a CE/BA
+- Relates to past/present/future physical or mental health condition, healthcare provision, or payment
+- Identifies or could reasonably identify the individual
+
+**Does NOT apply to:**
+- Employers acting in their employer capacity
+- Life insurers (unless also a health plan)
+- Workers' comp carriers (in most states, not subject to HIPAA directly)
+- Education records (FERPA applies instead)
+
+---
+
+## 2. Uses and Disclosures — General Rules
+
+### General Prohibition (§164.502(a))
+A CE/BA may not use or disclose PHI except as permitted or required by the Privacy Rule.
+
+### Required Disclosures (§164.502(a)(2))
+- To the **individual** (upon request for access or accounting)
+- To **HHS** for compliance investigations/enforcement
+
+### Consent vs. Authorization vs. Agreement
+| Mechanism | When Required | Notes |
+|-----------|--------------|-------|
+| Written Authorization | Uses/disclosures beyond TPO, marketing, sale of PHI | Must meet §164.508 requirements |
+| Opportunity to agree/object | Facility directories, to family/friends involved in care | Informal; oral ok |
+| No permission needed | TPO, public health, law enforcement (limited), etc. | See §164.512 |
+
+---
+
+## 3. Permitted Uses Without Authorization
+
+### Treatment, Payment, Operations (TPO) (§164.506)
+- **Treatment**: Providing, coordinating, managing healthcare
+- **Payment**: Billing, claims processing, utilization review
+- **Operations**: Quality assessment, training, auditing, legal, business planning
+
+### Other Permitted Disclosures (§164.512)
+| Purpose | Requirements |
+|---------|-------------|
+| Public health (§164.512(b)) | To authorized public health authorities |
+| Abuse/neglect reporting (§164.512(c)) | To government authorities authorized to receive |
+| Health oversight (§164.512(d)) | Audits, inspections, licensure by oversight agencies |
+| Judicial/administrative (§164.512(e)) | Court order or subpoena with satisfactory assurance |
+| Law enforcement (§164.512(f)) | Limited; specific conditions apply (e.g., court order, crime on premises) |
+| Research (§164.512(i)) | With IRB/Privacy Board waiver or individual authorization |
+| Serious threat (§164.512(j)) | To prevent imminent serious harm to individual or others |
+| Workers' comp (§164.512(l)) | As authorized by workers' comp laws |
+| Decedents (§164.512(g)) | To coroners, medical examiners, funeral directors |
+| Limited data set (§164.514(e)) | Remove direct identifiers; require Data Use Agreement (DUA) |
+
+### Incidental Disclosures (§164.502(a)(1)(iii))
+Permitted if:
+- Reasonable safeguards are in place
+- Minimum necessary standard is met
+- Example: A patient overhearing another patient's conversation in a waiting room
+
+---
+
+## 4. Patient Rights
+
+### Right of Access (§164.524)
+- Individuals have the right to inspect and obtain a copy of their PHI in a **designated record set**
+- **Timeline**: Provide access within **30 days** (one 30-day extension permitted with written notice)
+- **Format**: Must provide in format requested if readily producible; electronic if requested
+- **Fees**: May charge a reasonable, cost-based fee (labor + supplies + postage only); no retrieval fees
+- **Denials**: Permitted for psychotherapy notes, information compiled for legal proceedings, PHI that could endanger life/safety; some denials are reviewable
+
+> **2021 Rule Update**: HHS reinforced that fees must be limited; EHR patient portal access must be free.
+
+### Right to Amend (§164.526)
+- Individual may request amendment to their PHI in a designated record set
+- **Timeline**: 60 days to act (one 60-day extension)
+- May deny if: CE did not create the record; record is accurate and complete; not part of designated record set
+
+### Right to Accounting of Disclosures (§164.528)
+- Right to list of disclosures made in prior 6 years
+- **Excludes**: TPO disclosures, to the individual, authorized disclosures, incidental, national security
+- **Timeline**: 60 days (one 60-day extension)
+
+### Right to Request Restrictions (§164.522(a))
+- Individual may request restrictions on uses/disclosures for TPO or to family/friends
+- CE is **not required** to agree — **except**: must honor restriction on disclosure to health plan for service paid out-of-pocket in full
+
+### Right to Confidential Communications (§164.522(b))
+- Individual may request alternative means or locations for communications
+- CE must accommodate **reasonable requests**; no explanation required from individual
+- Health plans must accommodate if individual states disclosure could endanger them
+
+### Right to Notice (§164.520)
+- Right to receive a Notice of Privacy Practices (see Section 5)
+
+### Right to Opt Out of Fundraising (§164.514(f))
+- Must include opt-out mechanism in every fundraising communication
+
+---
+
+## 5. Notice of Privacy Practices (NPP)
+
+### Required for: All Covered Entities (not BAs)
+
+### Must Be Provided (§164.520(c)):
+- At first service delivery (in-person)
+- On request
+- On CE's website (if one exists)
+- Health plans: at enrollment and every 3 years if material changes
+
+### Required NPP Contents (§164.520(b)):
+1. **Header**: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
+2. Description of how CE may use/disclose PHI (with examples of TPO + other)
+3. Description of other uses requiring authorization
+4. Individual rights (access, amendment, accounting, restrictions, confidential comms, opt-out of fundraising)
+5. CE's duties (maintain privacy, notify of breaches, abide by NPP)
+6. How to complain (to CE and to HHS; no retaliation)
+7. Contact person/office for more information
+8. Effective date
+
+### Electronic NPP:
+- Can be provided electronically if individual agrees
+- Must be in plain language
+
+---
+
+## 6. Minimum Necessary Standard
+
+### Rule (§164.502(b), §164.514(d)):
+When using or disclosing PHI, or requesting from another CE, make reasonable efforts to limit PHI to the **minimum necessary** to accomplish the intended purpose.
+
+### Applies To:
+- Routine disclosures → Establish policies identifying persons who need access + type of PHI
+- Non-routine disclosures → Review on case-by-case basis
+- Requests from others → Limit requests to minimum necessary
+
+### Does NOT Apply To:
+- Disclosures to or requests by a treating provider
+- Disclosures to the individual
+- Pursuant to individual's authorization
+- Required by law
+- For HHS compliance activities
+
+### Practical Implementation:
+- Role-based access controls in EHR systems
+- Need-to-know training for workforce
+- De-identify data where full PHI isn't required
+
+---
+
+## 7. Authorization Requirements
+
+### When Required (§164.508):
+- Most uses/disclosures not covered by TPO or §164.512 permitted disclosures
+- **Always required for**: psychotherapy notes (with limited exceptions), marketing involving financial remuneration, sale of PHI
+
+### Valid Authorization Must Contain (§164.508(c)):
+1. Description of PHI to be used/disclosed (specific, meaningful)
+2. Name/class of person(s) authorized to make the disclosure
+3. Name/class of person(s) to whom disclosure may be made
+4. Description of each purpose of the use/disclosure
+5. Expiration date or event
+6. Individual's signature and date
+7. If signed by personal representative: description of authority
+8. Statement that individual may revoke
+9. Statement about re-disclosure risk (if applicable)
+10. Conditioning statement (if authorization is conditioned on treatment/payment)
+
+### Defective Authorization (§164.508(b)(2)):
+Authorization is defective if:
+- Expiration date has passed
+- Not filled out completely
+- CE knows it has been revoked
+- Compound authorization (combining with another document) when not permitted
+
+---
+
+## 8. Special Categories of PHI
+
+These categories receive **heightened protection** (often under state law as well):
+
+| Category | Notes |
+|----------|-------|
+| **Psychotherapy notes** | Stored separately; require specific authorization for almost all uses/disclosures |
+| **HIV/AIDS information** | Most states have additional restrictions beyond HIPAA |
+| **Substance use disorder** (42 CFR Part 2) | Separate federal law with stricter rules than HIPAA |
+| **Mental health records** | State law often adds restrictions |
+| **Reproductive health** | Post-Dobbs guidance; HHS issued rules limiting disclosure for lawful reproductive care |
+| **Genetic information** (GINA) | Cannot be used for underwriting by health plans |
+| **Minors** | Generally parents are personal representatives; exceptions for emancipated minors, sensitive services |
+
+> **Important**: State laws can be MORE protective than HIPAA. HIPAA sets a floor. Always check state law.
+
+---
+
+## 9. Administrative Requirements
+
+### Policies & Procedures (§164.530(i)):
+- Must implement written policies and procedures complying with Privacy Rule
+- Must document policies; retain for 6 years from creation or last effective date
+
+### Workforce Training (§164.530(b)):
+- Train all workforce members on privacy policies as necessary for them to carry out their functions
+- Train new members within reasonable time after joining
+- Document training
+
+### Sanctions (§164.530(e)):
+- Apply appropriate sanctions against workforce members who violate privacy policies
+- Document sanctions
+
+### Complaint Process (§164.530(d)):
+- Provide process for individuals to make complaints
+- Document all complaints and their disposition
+
+### Privacy Official (§164.530(a)):
+- Designate a Privacy Official responsible for developing and implementing policies
+- Designate a contact person for receiving complaints
+
+### Retaliation Prohibition (§164.530(g)):
+- May not retaliate against individuals for exercising HIPAA rights
+- May not retaliate against workforce members for filing complaints or participating in investigations
+
+### Waiver Prohibition (§164.530(h)):
+- May not require individuals to waive HIPAA rights as condition of treatment/payment/enrollment
+
+---
+
+## 10. Marketing & Fundraising
+
+### Marketing Definition (§164.501):
+Communication about a product/service that encourages recipients to purchase or use the product/service.
+
+### Marketing Requires Authorization EXCEPT:
+- Face-to-face communication with individual
+- Promotional gifts of nominal value
+- Refill reminders (if financial remuneration is reasonably related to CE's cost)
+- Communications about health-related products/services offered by CE (own services, treatment alternatives, case management) — if no financial remuneration from third party
+
+### Sale of PHI (§164.502(a)(5)(ii)):
+- Generally prohibited without authorization
+- Exceptions: public health, research, treatment, sale/merger of business, BAA, providing individual access
+
+### Fundraising (§164.514(f)):
+- May use demographic info + dates of service without authorization
+- Must include opt-out mechanism in each communication
+- Cannot condition treatment on making a donation