11.07.2017 HIPAA Check: Do You Know What to Do if a Breach Happens to You?
Breaches happen. They happen to major health systems, and they happen to solo practitioners. They happen to health plans, and they happen to health information technology vendors. In our technology-reliant world, it would be easy to point fingers at the proliferation of our online lives as the problem. However, most breaches still have a decidedly “low-tech” component: human error. Even with the best security and best workforce training, breaches will occur, and when they collide with a highly-regulated industry such as health care, an old statute with new bite plays a significant role in how entities respond: the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[i]
HIPAA and its implementing regulations dictate what health care providers, health plans, and health care clearinghouses can do with their “protected health information,” or “PHI,” and what measures these “covered entities” must put in place to enhance the security of their PHI.[ii] The HIPAA rules also describe how to know and what to do if you have experienced a “breach.”[iii]
How do you know if you have a breach?
You have a set of facts that might indicate data compromise – an errant email, mysterious log-in activity to your electronic health record or a lost or stolen laptop. How do you know if you also have a breach? HIPAA defines “breach” as any unpermitted use or disclosure of unsecured PHI, subject to a few narrow exceptions. Notification obligations are triggered unless a covered entity has determined, through a risk assessment, that there is a “low risk of compromise.” For anything other than a “low risk,” covered entities must notify each affected or potentially affected individual, the Department of Health & Human Services’ Office for Civil Rights (OCR) and, for certain major breaches, local media outlets.
The default responsibility for breach notification is on the covered entity, although vendors and contractors that utilize PHI (i.e., “business associates”) are obligated to notify their covered entity clients in the event of a breach.[iv] Covered entities can also set stricter, more defined obligations for breach notification for their business associates and delegate notification responsibilities in their business associate agreements.
In determining whether notification is required, a risk assessment must account for at least the following four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.[v]
These risk assessments are fact-specific analyses, based entirely on the facts and circumstances of the occurrence or event. For example, in 2016, OCR published guidance on HIPAA’s application to ransomware attacks, the malware attacks where data is encrypted and held for ransom, and indicated that such attacks should be presumed to be a breach because they constitute an impermissible acquisition of the PHI.[vi] Despite OCR’s clear intent to treat ransomware attacks as breaches, OCR stopped short of calling all ransomware attacks breaches that require notification, stating that entities may still find that there is a “low risk of compromise” through a risk assessment.
Further, OCR has said that covered entities may skip the performance of a risk assessment and go right to notification. However, if a covered entity is unsure of whether a breach has occurred, a risk assessment reaching a good faith conclusion should be performed and documented.[vii] The burden is on the covered entity to show that it fulfilled all regulatory requirements, so documentation should be maintained in a place where it can be found in the event of an audit or investigation.
Why does compliance matter?
There is a simple reason why it is important to perform risk assessments: to make required notifications timely and correctly, and to document exceptions, risk assessments, and notifications appropriately. OCR enforcement activity has increased in the last few years, and many of the settlements published on OCR’s website have resulted from investigations originating with one or more breaches.[viii] This year, OCR issued its first settlement arising from late breach notification (just one month late!) for $475,000.[ix] As of August 31, 2017, the highest OCR settlement to date is $5.55 million, with a total of almost $73 million collected through settlements since enforcement began.[x]
The reality is that not all breaches are preventable, but the HIPAA Security Rule prescribes numerous measures that are designed to instill good data protection practices in covered entities and business associates. These measures include facility and software/hardware access security, malware protection, and employee training.[xi] Among the most important Security Rule measures as to breach notification are those for encryption in transmission and at rest.[xii] Data that are encrypted are considered “secured” and, therefore, not subject to breach notification.[xiii] As OCR continues to actively enforce HIPAA, covered entities and business associates alike should reevaluate their compliance with all aspects of HIPAA, including the breach notification regulations.
For more information, please see our Health Care Data Aware Blog, which highlights current events, news and key legal and regulatory authorities and guidance related to health care data privacy and security, or contact me at (804) 420-6609 or firstname.lastname@example.org.
[i] Pub. L. No. 104-191, 110 Stat. 1936 (1996) (as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)).
[ii] 45 C.F.R Parts 160 and 164, Subparts A and E (the “Privacy Rule”); 45 C.F.R. Parts 160 and 164, Subparts A and C (the “Security Rule”).
[iii] 45 C.F.R. 164.400 et seq.
[iv] 45 C.F.R. 164.404-410.
[v] 45 C.F.R. 164.402.
[vi] “FACT SHEET: Ransomware and HIPAA,” available at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
[vii] “Breach Notification Rule,” available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
[viii] “Resolution Agreements,” available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html.
[ix] “First HIPAA Settlement for Lack of Timely Breach Notification Settles for $475,000,” available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/presence/index.html
[xi] 45 C.F.R. 164.308-312.
[xii] 45 C.F.R. 164.312(a)(2)(iv); 164.312(e)(2)(ii).
[xiii] 45 C.F.R. 164.402 (defining “Unsecured Protected Health Information”).