As more healthcare organizations face the daunting task of dealing with a data breach, more of them will have to become intimately familiar with the HIPAA Breach Notification Rule.
The rule requires HIPAA covered entities and business associates (BAs) to provide notification to individuals, regulators, and the media following a breach of protected health information (PHI). But the devil, as they say, is in the details.
Under what circumstances do covered entities and business associates need to report incidents involving PHI?
That depends on whether PHI was breached. According to HHS, a breach is an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
Covered entities and business associates must provide notification if the breach involves unsecured PHI, which is PHI that “has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using technology or methodology” specified by HHS, the agency explained.
The best way to provide timely notification and comply with the rule is to understand what it requires, then to establish and refine breach notification policies and procedures. Organizations should also consider developing and implementing a cyber incident response plan that includes breach notification as part of a broader emergency preparedness and disaster recovery program.
Security experts agree that it’s not a question of if an organization will be breached, but a question of when. How can healthcare organizations comply with the HIPAA Breach Notification Rule after discovering a potential breach?
Conducting a thorough risk assessment
When a breach is suspected, HHS advises covered entities to conduct a risk assessment to determine the probability that the PHI has been accessed by an unauthorized person or persons. Organization will need to assess:
- Whether the PHI was acquired or viewed
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The identity of the unauthorized person(s) who used the PHI or to whom the disclosure was made
- The extent to which the risk to the PHI has been mitigated by the covered entity
“You have to look at those four factors and run through an analysis for each one to figure out where you stand. You then use a combination of all of those to determine if there is a low probability of compromise, which would enable a finding that no breach has occurred,” Matt Fisher, chair of Mirick O'Connell’s Health Law Group, told HealthITSecurity.com.
While not required, performing a risk assessment whenever an organization suspects a breach is a good idea, added Jesse Coleman, partner with Houston-based law firm Seyfarth Shaw.
“The Office for Civil Rights, which is the enforcement mechanism for the HHS Secretary, will look to this risk assessment if it turns out that there has been some sort of impermissible use or disclosure that was not reported,” Coleman told HealthITSecurity.com.
“Any time you have an impermissible use or disclosure that appears to be a breach, you should do a risk assessment. It's a totality of circumstances analysis.”
Laura Hammargren, healthcare co-leader and cybersecurity and data privacy attorney with Chicago-based Mayer Brown, agreed. “I would do a risk assessment if you suspect a breach. You have to gauge whether it's reportable or to what extent it might need to be disclosed and to whom. To do that, you do need to figure out what exactly happened.”
HHS explained that there are three exceptions to the definition of a breach of PHI.
The first exception deals with the unintentional acquisition, access, or use of PHI by an employee or person acting under the authority of a covered entity or business associate. The person must have acquired, accessed, or used PHI in “good faith” and within the scope of his or her authority.
The second covers the inadvertent disclosure of PHI “by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.” In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
The third exception involves a situation where the covered entity or business associate has a “good faith belief” that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Who Should Be Notified and When?
HHS requires three types of entities to be notified in the case of a PHI data breach: individual victims, media, and regulators.
The covered entity must notify those affected by the breach of unsecured PHI within 60 days of discovery of the breach.
“That can be a question. When was the date of discovery? Is it the moment you suspect that you have a breach? Is it the time when you confirm that in fact there has been a breach and what that breach is? Different companies interpret that in different ways, although staying on the conservative side might save the company some pain later,” Hammargren told HealthITSecurity.com.
The notification deadline can be modified if law enforcement needs more time to investigate the breach and disclosure would impede the investigation.
According to HHS, the notification needs to include the following information:
- Description of the breach
- Description of the types of information involved in the breach
- Steps breach victims should take to protect themselves from harm
- Description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
- Contact information for the covered entity
The covered entity must send this notification by first-class mail or email. If the covered entity has out-of-date or incomplete contact information for ten or more victims, it must post a notice on its home page for at least 90 days or provide a notice to major print or broadcast media where victims likely reside. In addition, the covered entity must set up a toll-free number that remains active for at least 90 days where victims can get information about the breach.
If a covered entity experiences a breach affecting more than 500 residents of a state or jurisdiction, it is required to notify prominent media outlets in that state or jurisdiction within 60 days of the breach’s discovery. The notification should be in the form of a press release and contain the same information that is required for notifying individuals.
Finally, a covered entity needs to inform OCR about a breach of unsecured PHI. If the breach impacts 500 or more individuals, the covered entity must notify OCR within 60 days following breach discovery. It the breach affects fewer than 500 individuals, a covered entity can notify OCR on an annual basis. This annual report is due to OCR no later than 60 days after the end of the calendar year in which the breaches were discovered.
Covered entities and business associates are required to demonstrate that they have provided all the required notifications in the event of a breach of PHI or that they have determined through a risk assessment that the disclosure of unsecured PHI was not a breach or that the disclosure qualified for one of the aforementioned exceptions to the breach definition.
HIPAA Business Associates and Breaches
Business associates are required to notify covered entities of a breach within 60 days of the breach discovery. The BA should identify everyone affected by the breach and provide other information required by the covered entity in its notification.
The covered entity may delegate the responsibility of providing individual notices to the business associate. The two parties should determine which entity is best positioned to provide notice to the breach victims. This will depend on circumstances such as the business associate’s function and which party has a relationship with the victim. Ultimately, the covered entity is responsible for ensuring breach victims get notified.
“Business associates should look to any business associate agreement they have entered into, because by that contractual relationship there are times when the breach notification responsibility might be shared. There have been cases where the covered entity pushes the notification requirements down to the business associate or the covered entity retains the discretion to review and approves any communication and reserves the right to send out the notification itself,” said Fisher.
Coleman agreed that the business associate should examine the contract it has with the covered entity when it comes to responding to and reporting a breach of PHI. He cited the sample business associate contract provided by HHS, part of which reads:
“A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”
Developing a cyber incident response plan
The HIPAA Breach Notification Rule requires covered entities to have written policies and procedures regarding breach notification, to train employees on these policies and procedures, and to develop and apply sanctions against employees who do not comply with these policies and procedures.
Fisher advised covered entities to go beyond breach notification policies and procedures and develop a broader cyber incident response plan.
“Under the Breach Notification Rule, you need to have a breach notification policy that should lay out the timeline for the risk assessment and the elements that need to go into the notification. A broader cyber incident response plan would also make sense because that would tie into disaster recovery and emergency preparedness required under the Security Rule,” Fisher said.
Creating an incident response plan can also ensure that breaches are addressed quickly and thoroughly. The 2018 CHIME HealthCare’s Most Wired survey describes critical components of a cyber incident response plan:
- Document EHR-outage procedures
- Develop security/privacy breach notification procedures
- Conduct tabletop exercises at least annually
- Tie disaster-recovery plan to business-continuity plan
- Include marketing and communications, human resources, resource management team, legal team, and other members of the organization in planning and exercises
- Hold enterprise-wide exercises at least annually
“A cyber incident response plan sounds like a very good idea,” commented Coleman.
“HIPAA training privacy and security should be included with all employees that are part of a covered entity. And there should be training as to notification at each level,” he added.
Leveraging data encryption to reduce risks
One sure way to prevent a reportable data breach is to render PHI unusable to external parties through encryption. The HIPAA Security Rule describes encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
To avoid a breach of the confidential process or key, decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt, OCR explained in guidance on the topic.
Another way to render unsecured PHI unusable is to destroy the media on which it is printed or stored. Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or reconstructed. Redaction is not allowed as a means of data destruction. Electronic media must be cleared, purged, or destroyed, according to the guidance.
Hammargren asserted that breach notification is an issue that will be “front and center” in the coming years and “will only get more important as we go forward in this digital age.”
Fisher added, “It’s only a matter of time before a breach happens. Organizations need to be aware that there are clear obligations under HIPAA about how you go about notification once that breach happens. So be prepared in advance. Make sure you have the breach notification policy in place. Don’t try to delay and avoid the problem. That will only make it worse.”
To meet HIPAA obligations, healthcare organizations need to establish and refine breach notification policies and procedures, which should be included as part of a cyber incident response plan.
Organizations should train management and staff periodically on the plan, and exercises should be conducted regularly. Those who neglect these obligations could end up facing hefty fines, lawsuits, and damaged reputation.