This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013.
As part of the American Recovery and Reinvestment Act s HITECH requirements, a new requirement was created known as breach notification. When the HIPAA Omnibus Rule was published in 2013, it included the final rule for breach notification. This was the first nation wide breach notification rule. It requires a covered entity or business associate to conduct an investigation and complete a risk assessment on all potential breaches within an organization. If it is determined that a breach happened, it must be communicated to the affected individual, the department of HHS, and local media within 60 days from the date of discovery. It is important to understand what is meant by date of discovery. The date of discovery should be treated as the first day a potential breach was known to any entity or associate, such as a workforce member, within a covered entity or business associate or should reasonably have been known to such entity or individual. A covered entity and business associate should have a clearly defined policy and procedure for breach notification within their organization.
The final definition of a breach was published in the HIPAA Omnibus Rule of 2013. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised. At this time there is not a clear definition for what compromised means from the Department of Health and Human Services. A covered entity should define a process for risk assessment and determination of low probability that the PHI was compromised.
A breach occurs when unsecured PHI is used or disclosed improperly. The HIPAA Omnibus Rule amended the definition of unsecured PHI to protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology. There are technologies and methodologies to make PHI unusable, unreadable or indecipherable through encryption and destruction. Specifically the 4 areas where information is deemed to be secure are: Valid Encryption for data at rest Valid encryption for data in motion Shredding of paper, film, or other hard copy media has been shredded or destroyed and PHI cannot be read or reconstructed Redaction is excluded as a means of data destruction
Purging of electronic media (media sanitization) NIST guidelines should be followed for encryption requirements as well as media sanitization.
Here you will see some examples of potential breaches. Each of these would required an investigation and risk assessment to determine the risk to the PHI. An Employee inappropriately accesses a co-workers chart A fax is sent to the incorrect fax number A release of information is sent to the incorrect recipient An employee blogs about their work day which included specific patient diagnosis that can link to a patient Someone has hacked into your EHR and obtained SSN for multiple patients A physician/employee inappropriately access a chart of a celebrity An e-mail with PHI in the context was sent to the incorrect e-mail recipient
The risk assessment of the potential breach becomes the focal point of the entire process. Covered entities and business associates are required to conduct an investigation and risk assessment on every potential breach within the organization. They may opt to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised. In this case, the covered entity or business associate would need to document the outcome and notification process. When conducting the risk analysis, the following 4 items need to be collected at a minimum. 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated When documenting the outcome of the investigation, the outcomes of these four factors should be documented for every case.
Maintaining documentation for all breach investigations is an administrative requirement under the breach notification rule. Covered entities must provide documentation to support burden of proof with breach notifications. Documentation for burden of proof should include one of the following: 1. All required parties were notified of the breach OR 2. The use or disclosure did not constitute a breach Breach risk assessment showing low probability OR Application of any of the exceptions to the breach definition
There are three exceptions to the definition of a breach: Unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. Inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. Good faith by the covered entity or business associate that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. When conducting the risk assessment on a potential breach, a covered entity or business associate needs to evaluate these and determine if the potential breach falls into one of these categories. If it does, covered entities or business associates should clearly document which exception and the reasoning behind the decision.
When a covered entity or business associate determine that a breach has occurred, notification must be done to the appropriate parties. Every time that a breach happens, notification must be sent to the impacted individuals and the Secretary of HHS. If the breach impacts more than 500 people, a prominent media outlet in the area must be contacted and informed of the breach. It is important to remember that all notification must be done and completed within 60 days from the date of discovery. If the breach is less than 500 people, a covered entity or business associate has 60 days past the end of the year when the breach occurred to notify HHS.
Under the Omnibus Rule, law enforcement has the right to request a delay in the notification, notice, or posting of a breach. A delay can be requested if notification would impede a criminal investigation or cause damage to national security. The request for delay can be done in writing or orally. If request is done through a written request, the covered entity or business associate should delay notification, notice, or posting of the breach until the specified date in the official request for delay. If the request for the delay is done orally, the covered entity or business associate should document the statement, including the date of the statement, and delay the notification, notice, or posting of breach no later than 30 days from the date of the oral statement.
Notification needs to occur to each of the affected individuals. The notice shall be made in writing, except under circumstances where the covered entity does not have the correct contact information for the affected individual, or where there is particular urgency to the notification. The notice to affected individuals must contain the 5 items listed here, at minimum. 1. A brief description of what occurred with respect to the breach, including, to the extent known, the date of the breach and the date on which the breach was discovered; 2. A description of the types of unsecured PHI that were disclosed during the breach; 3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm caused by the breach; 4. A description of what the Covered Entity is doing to investigate and mitigate the breach and to prevent future breaches; and 5. Instructions for the individual to contact the Covered Entity.
There is also an alternative notification process for a covered entity if they have insufficient or out-of-date contact information.
Each time a covered entity or business associate determines that a breach occurs, notification to the Secretary of HHS must occur. The notification is completed through an online website. The key components of the notification report are listed here: Date(s) of Breach Date(s) of Discovery Approximate Number of People Impacted Type of Breach (Theft, Loss, Improper Disposal, Hacking, Unauthorized Access/Disclosure) Location of Breached Information (Laptop, Desktop, Network Server, e-mail, other portable device, other) Type of Breach Type of PHI involved (Demographic, Financial, Clinical, Other Brief Description of Breach Safeguards in Place Prior to Breach (firewalls, encrypted wireless, etc.)
Individual Notice of Breach If Media Notice was required Actions taken in response to breach (security and/or privacy safeguards, mitigation, sanctions, policies and procedures, other)
In cases where the breach is more than 500 residents of a State of jurisdiction, a Covered Entity must provide notice to a prominent media outlet. It is best practice for the covered entity to designated a communications coordinator within their organization. Some areas to take into consideration when working with the media outlet are: Ensure that the communications coordinator has a clear understanding of the technical issues behind the incident so that he or she may communicate effectively and accurately with the media. Communicate accurate and concise information; avoid communicating misleading information, which may result in damage to the organization s reputation. Consult with legal counsel regarding the extent of information to be disclosed. Avoid communicating technical details that may entice hackers.
Consult with investigative agencies to ensure that any details about the incident that may be used as evidence are not disclosed without approval.