How Does a HIPAA Violation Become a Privacy Breach? Karen Voiles, MBA, CHC, CHPC, CHRC Senior Managing Consultant, Compliance Agenda Differentiating between HIPAA violation and reportable breach Best practices for documenting HIPAA violations and reportable breaches Notification requirements for violations and breaches When should legal counsel be involved? Examples of HIPAA violations versus reportable breaches 2
When Does HIPAA Incident Become a Breach? Under the Omnibus Rule of 2013 (the Final Rule ), a HIPAA incident must ALWAYS be considered a reportable breach UNLESS a four-factor risk assessment is completed which determines that the protected health information ( PHI ) involved has been compromised *See policy and risk assessment templates 3 What Should a Four Factor Breach Risk Assessment Include? The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification: Analyze the types of PHI involved o Credit card numbers, SS#, or other info that might result in identity theft o Nature of services, such as mental health or substance abuse information o the amount of detailed clinical information exposed o if the PHI involves only limited identifiers, can the PHI be re-identified? 4
Why Is It Important to Consider Who the Unauthorized Person Is? If the recipient is another entity constrained by regulations, the risk is lower (example fax to wrong physician or other covered entity) If the PHI is used by, or disclosed to, a known identity thief or ex-husband risk much higher 5 Why Does It Matter if the PHI Was Actually Acquired or Viewed? There is a difference between actually acquiring or viewing PHI and only having an opportunity for the information to be acquired or viewed. Example - if a laptop is lost or stolen and later recovered, and a forensic analysis shows that the PHI on it was never accessed lower probability that PHI was compromised. 6
How Did You Mitigate the Risk to the PHI? If you mitigate the risk to PHI improperly used or disclosed, you can lower the risk that the use or disclosure will be determined to be a breach E x a m p l e Requiring the recipient that received the PHI in error to provide assurances, such as in a confidentiality agreement, that the PHI was or will be destroyed or will not be further used or disclosed 7 What are Some Best Practices for Documentation? 8
Are You Keeping a Breach Log? Important elements to include in your breach log: Date of breach Date of discovery # of Individuals affected by breach Type of breach Location of breached information Type of protected health information (e.g., demographic, financial, clinical) 9 What Else Should Be in Your Breach Log? Brief description of the breach include location of breach, a description of how the breach occurred, and any additional information regarding the type of breach, type of media, and type of protected health information involved in the breach Safeguards in place prior to breach e.g., encryption, physical securities, logical l access control, anti-virus software, intrusion detection, biometrics 10
What About Notification and Other Actions Taken? Dates notice provided If provided substitute or media notice, and, if so, who, what, when, where, how Actions taken in response to the breach e.g., security and/or privacy safeguards, mitigation, sanctions, policies and procedures A description of any other actions taken 11 How Do You Notify an Individual of a Breach of His/ Her Protected Health Information (PHI)? Breach notification requirements: Individual notice o Written form - first-class mail OR e-mail if individual agreed to receive email If insufficient or out-of-date contact information for 10 or more individuals: Post the notice on the web site home page or provide the notice in major print or broadcast media where the affected individuals likely reside If fewer than 10 individuals, may provide substitute notice by an alternative form of written, telephone, or other means Must include a toll-free number for individuals to contact the covered entity to determine if the individual s PHI was involved in the breach o Provide notice no later than 60 days following discovery o Include a description of the breach, types of information involved, steps individuals should take, description of the investigation, what is being done to mitigate harm and prevent further breaches, as well as contact information for the covered entity 12
What if Breach Is Discovered by a Business Associate? The business associate must notify the covered entity no later than 60 days from the discovery of the breach and provide the identification of each individual affected as well as any information required to be provided by the covered entity in its notification to affected individuals NOTE the time clock for notification by the covered entity starts ticking when the business associate discovers the breach (not reports it) 13 What if Breach Affects 500+ in a State or Jurisdiction? Media notice In addition to notifying the affected individuals, you must provide notice to prominent media outlets serving the state or jurisdiction no later than 60 days following the discovery of a breach and must include the same information required for the individual notice o This notice can be in the form of a press release to appropriate media outlets serving the affected area 14
Do You Know How to Submit Your Breach Log to the Secretary? http://www.hhs.gov/ocr/privacy/hipaa/administrative/b reachnotificationrule/brinstruction.html 15 When Do You Notify the OCR? If >500, no less than 60 days following discovery of breach If < 500, notification no later than 60 days after the end of the calendar year in which the breach(es) occurred 16
When Should You Involve Legal Counsel? Best practice? If, after an investigation, you are still not sure Prior to notifying the patient Prior to notifying the media Prior to reporting a breach to the government Bottom line it may be expensive, but counsel can best mitigate your risk of audit or lawsuit in such situations! 17 Who Has the Burden of Proof? Covered entities and business associates! You must be able to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach You must also have in place written policies and procedures regarding g breach notification; you must train employees on these policies and procedures; and you must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures 18
Example #1 of a Non Reportable Incident PHI is faxed to the wrong physician, and the receiving physician immediately contacts the covered entity to inform it of the error and confirms that the information was destroyed. Low probability exists that information was compromised, and disclosure would not be reportable Check your state laws Should still be included on an accounting of disclosures 19 Example #2 of a Non Reportable Event Nurse accidentally accesses the wrong patient s information. Patient accessed has the same name and gender as the patient the nurse is assigned to on the floor. When the nurse realizes she has accessed the wrong patient s information, she immediately exits the information and does not further access or disclose the information accidentally accessed Action can easily be confirmed by running an access audit 20
Examples of Reportable Events Employee accesses medical and financial information of various patients and sells the information to known identity thieves Ex-wife accesses former husband s medical information without permission in order to use information for pending divorce Employee accesses famous individual s information in order to provide information to the media 21 What are Your HIPAA Conundrums and Quandaries? NANCY, I M NOT SURE THAT S WHAT HIPAA HAD IN MIND. 22
23 Thanks for Attending! Intended for internal guidance only, and not as recommendations for specific situations. Readers should consult a qualified attorney for specific legal guidance. 24