1 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
2 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within 60 days. Further notification requirements of media and HHS if > 500 individuals. Requires Business Associates to notify Covered Entities of breach.
3 Why? Prior to the HITECH Act, this Rule did not exist. HITECH removed the harm threshold and replaced it with a more objective standard. The Rule strengthened the privacy and security protections for health information established under HIPAA.
4 What? Notification is required to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured protected health information (PHI). It establishes a uniform requirement to inform individuals and HHS when a breach of unsecured protected health information occurs.
5 What is a Breach? Generally, it is an impermissible use or disclosure that compromises the security or privacy of PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.
6 Responsibilities of the Covered Entity and Business Associate Both must have: Documented policies and procedures regarding breach notification; A training and awareness program for the workforce staff; A security incident response, reporting and management system; A risk assessment system to determine probability of breach and breach notification; and A sanction policy for those who do not comply with the policies/procedures.
7 Breach Excludes #1 The unintentional acquisition, access or use of PHI by a workforce member acting under the authority of the CE or BA, if the acquisition, access or use was made in good faith and within the scope of their authority and does not result in further use or disclosure in a manner permitted by the Privacy Rule. This does not include snooping employees as this would be intentional and not in good faith.
8 #2 Exception The inadvertent disclosure of PHI from a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
9 #3 Exception If the CE or BA has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.
10 Examples of Exceptions A fax with PHI is misdirected to the wrong physician, and upon receipt, the receiving physician calls to say it was received in error and has been destroyed. A risk assessment may be able to determine a low risk that the information was compromised and would not constitute a breach. A lab report was mistakenly sent to the patient s brother with the same last name as the patient. Determining if this is a reportable breach will depend upon the relationship of the brother and patient, and whether the patient s brother actually viewed any of the patient s PHI.
11 Examples - Continued A letter was sent to the wrong address. The letter was returned unopened, as undeliverable. It can be concluded that the improper address could not reasonably have retained the information. A nurse hands discharge papers to the wrong patient and immediately recognizes the error and retrieves them. This would not constitute a breach as the person could not have retained the information.
12 Remember, notification is required if the breach involved unsecured PHI. Definition: PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized persons through the use of technology or methodology. Unsecured PHI Encryption and destruction are the technologies and methodologies that meet this definition.
13 Discovery of a Breach A breach of unsecured PHI shall be treated as discovered by a CE: On the first day the breach is known to the CE; At the time the workforce member or other agent has knowledge of the breach; By exercising reasonable diligence and would have been known to the CE; Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
14 Breach Investigation The practice shall name an individual to act as the investigator (Privacy Officer, Security Officer, Risk Manager). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, documentation and coordinating with others in the organization. The investigator shall be the key facilitator for all breach notification processes to the appropriate entities. (e.g., HHS, patient, media, law enforcement, etc.)
15 Risk Assessment To determine if there is a low probability that the PHI has been compromised, a risk assessment needs to be performed. The assessment is to be fact specific and must address four factors: The nature and extent of the PHI involved including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the PHI was disclosed; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated.
16 Factor One: Nature and Extent of the PHI Evaluate the types of identifiers and likelihood of re-identification of the PHI: Social security numbers, credit cards, financial data (risk of identity theft or financial fraud) Clinical data, diagnosis, treatment, medications Mental health, substance abuse, sexually transmitted diseases, pregnancy
17 Factor Two: Who Used the PHI and to Whom Was It Disclosed To Consider who the unauthorized person was who used the PHI and to whom the impermissible disclosure was made. Does the unauthorized person who received the information have obligations to protect its privacy and security? Does the unauthorized person who received the PHI have the ability to re-identify it?
18 Factor Three: Was the PHI Actually Acquired or Viewed Determine if the PHI was actually acquired or viewed or if only the opportunity existed for the information to be acquired or viewed. E.g., laptop was stolen and later recovered. IT analysis shows that the PHI was never accessed, viewed, acquired or transferred or compromised. The entity could determine the PHI was not actually acquired although the opportunity existed.
19 Factor Four: What Extent was the Risk to the PHI Mitigated? Consider the extent to which the risk to the PHI has been mitigated. E.g. Obtain the recipient s satisfactory assurance that the information will not be further used or disclosed (can use a confidentialigy agreement, etc.) or will be destroyed (shredded).
20 Assessment Conclusion Evaluate the overall possibility that the PHI has been compromised. If your evaluation of the factors fail to demonstrate that a low probability of the PHI has been compromised, breach notification is required. If your PHI was encrypted, no breach notification is required.
21 Timeliness of Notification Covered Entities must notify individuals of a breach without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach (not when the investigation is complete). This allows the CE to take a reasonable amount of time to investigate the circumstances around the breach in order to collect and develop the information required to be included in the notice to the individual.
22 Delay of Notification If a law enforcement official determines that a notification, notice or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed. The law enforcement official must provide a written statement citing the reason for the delay and specify the time for which a delay is required.
23 Content of Notice The notice must be written in plain language and must contain the following information, to the extent possible: A brief description of what happened, including the date of the breach and the date of discovery, if known; A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, or other types of information were involved);
24 Content of Notice - Continued Any steps individuals should take to protect themselves from potential harm resulting from the breach; A brief description of what the CE involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches; and Contact procedures for individuals to ask questions or learn additional information which shall include a toll-free telephone number, an address, Web site or postal address.
25 Content of Notification - Continued The breach notice must be: Written in plain language and at an appropriate reading level using clear language without extra material that would diminish the message. Written in a language the individual who is not English proficient understands. E.g., Spanish Written in accordance with the Disabilities Act of 1990 to ensure effective communication with disable individuals in such formats as Braille, large print or audio.
26 Methods of Notification Mail: First class to individual s last known address. Minors/Incapacitated Individuals: Notice may be provided to parents or personal representative of the individual. Deceased Individual: If the CE knows individual is deceased, notification can be sent to next of kin or personal representative. If the CE had no contact information or has out-of-date contact information for the next of kin/personal representative, the CE is not required to provide substitute notice.
27 Substitute Forms of Notice These are substitute notices that are reasonably calculated to reach the individual: must have individual s consent to send. Telephone: if urgent notification is necessary due to potential for imminent misuse of unsecured PHI or individual refuses to accept written notice.
28 Notification Using Media If there is insufficient information for 10 or more individuals use as substitute form of notice. If breach has affected > 500 individuals: Notification within 60 calendar days to media. Notice must contain same information as individual notification. Must be in geographic area where affected individuals likely reside. This is in addition to, not a substitute for individual notice. Posting must be for 90 days.
29 brinstruction.html - HHS breach notification site. Immediate notification if breaches affect > 500 individuals. Immediate: same time as individual notification Notification to HHS < 500 individuals: No later than 60 days after the end of the calendar year in which the breaches were discovered, not the year in which the breaches occurred. E.g., 2013 unsecured PHI breaches would have to be reported by March 1, 2014.
30 Breach Log The practice shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be logged: A description of what happened; date of breach; date of discovery, and # of individuals affected. A description of the type of PHI involved (such as name, SSN, DOB, address, etc.) A description of the action taken with regard to notification of patients.
31 Business Associate Responsibilities BA must notify the Covered Entity after the discovery of a breach. A breach is discovered on the day the BA, its employees, officer or agent knew or would have known of the breach by exercising reasonable diligence. Notice to CE must be provided without unreasonable delay and in no case later than 60 days after the breach notification obligations. Notification to CE automatically triggers CE s breach notification obligations. CE may delegate obligations to BA.
32 Burden of Proof After an impermissible use or disclosure of unsecured PHI, the CE and BA have the burden of demonstrating that all required notifications were made and that an impermissible use or disclosure did not constitute a breach. The CE has to show a low probability that the PHI was compromised with a risk assessment. The focus of the assessment is not on the patient s harm, but whether the information has been compromised. If it cannot be clearly determined there is a low probability, it has to be treated as a breach.
33 Civil Monetary Penalties Prior to 2/18/09 $100/violation with a maximum of $25,000 in a calendar year for the same violation. After 2/18/09 HITECH Act increased penalties up to $50,000/violation with a maximum of $1.5 million in a calendar year for the same violation.
34 Civil Monetary Penalties - Continued Now a 4 tiered liability structure: Tier 1: The offender did not know: $100 - $50,000/violation Tier 2: Violation due to reasonable cause, not willful neglect: $1,000 - $50,000/violation Tier 3: Violation was due to willful neglect and corrected: $10,000 - $50,000/violation Tier 4: Violation was due to willful neglect and NOT corrected: $50,000/violation
35 Factors in Determining Penalty The nature and extent of the violation, including the # of individuals affected. The nature and extent of the harms to the individual(s): physical, financial, reputation, ability to continue their healthcare. History of prior compliance and previous violations. The financial condition of the CE or BA.
36 Other Penalties State Attorney Generals may also pursue civil actions for a HIPAA breach. HIPAA establishes a criminal penalty of up to $50,000 and/or imprisonment for up to one year for any person who knowingly : Uses or causes to be used a unique health identifier; Obtains individually identifiable health information relating to an individual; or
37 Other Penalties - Continued Discloses individually identifiable health information to another person. If such offenses are committed under false pretenses, the penalty may be increased up to $100,000 and/or imprisonment up to 5 years. If the offense is committed with the intent of personal gain, the penalty is a fine up to $250,000 and/or imprisonment for up to 10 years. For criminal prosecution, the person charged had to have acted knowingly.
38 Further Information Arkansas Mutual Website All Things HIPAA: Omnibus Rule: Breach Notification HHS website: Breach Notification Rule istrative/breachnotificationrule/