[BreachExchange] HIPAA Check: Do You Know What to Do if a Breach Happens to You?

[Audrey McNeil]

https://www.jdsupra.com/legalnews/hipaa-check-do-you-
know-what-to-do-if-a-99367/

Breaches happen. They happen to major health systems, and they happen to
solo practitioners. They happen to health plans, and they happen to health
information technology vendors. In our technology-reliant world, it would
be easy to point fingers at the proliferation of our online lives as the
problem. However, most breaches still have a decidedly “low-tech”
component: human error. Even with the best security and best workforce
training, breaches will occur, and when they collide with a
highly-regulated industry such as health care, an old statute with new bite
plays a significant role in how entities respond: the Health Insurance
Portability and Accountability Act of 1996 (HIPAA).[i]

HIPAA and its implementing regulations dictate what health care providers,
health plans, and health care clearinghouses can do with their “protected
health information,” or “PHI,” and what measures these “covered entities”
must put in place to enhance the security of their PHI.[ii] The HIPAA rules
also describe how to know and what to do if you have experienced a
“breach.”[iii]

How do you know if you have a breach?

You have a set of facts that might indicate data compromise – an errant
email, mysterious log-in activity to your electronic health record or a
lost or stolen laptop. How do you know if you also have a breach? HIPAA
defines “breach” as any unpermitted use or disclosure of unsecured PHI,
subject to a few narrow exceptions. Notification obligations are triggered
unless a covered entity has determined, through a risk assessment, that
there is a “low risk of compromise.” For anything other than a “low risk,”
covered entities must notify each affected or potentially affected
individual, the Department of Health & Human Services’ Office for Civil
Rights (OCR) and, for certain major breaches, local media outlets.

The default responsibility for breach notification is on the covered
entity, although vendors and contractors that utilize PHI (i.e., “business
associates”) are obligated to notify their covered entity clients in the
event of a breach.[iv]Covered entities can also set stricter, more defined
obligations for breach notification for their business associates and
delegate notification responsibilities in their business associate
agreements.

In determining whether notification is required, a risk assessment must
account for at least the following four factors:

1. The nature and extent of the protected health information involved,
including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to
whom the disclosure was made;
3. Whether the protected health information was actually acquired or
viewed; and
4. The extent to which the risk to the protected health information has
been mitigated.[v]

These risk assessments are fact-specific analyses, based entirely on the
facts and circumstances of the occurrence or event. For example, in 2016,
OCR published guidance on HIPAA’s application to ransomware attacks, the
malware attacks where data is encrypted and held for ransom, and indicated
that such attacks should be presumed to be a breach because they constitute
an impermissible acquisition of the PHI.[vi] Despite OCR’s clear intent to
treat ransomware attacks as breaches, OCR stopped short of calling all
ransomware attacks breaches that require notification, stating that
entities may still find that there is a “low risk of compromise” through a
risk assessment.

Further, OCR has said that covered entities may skip the performance of a
risk assessment and go right to notification. However, if a covered entity
is unsure of whether a breach has occurred, a risk assessment reaching a
good faith conclusion should be performed and documented.[vii] The burden
is on the covered entity to show that it fulfilled all regulatory
requirements, so documentation should be maintained in a place where it can
be found in the event of an audit or investigation.

Why does compliance matter?

There is a simple reason why it is important to perform risk assessments:
to make required notifications timely and correctly, and to document
exceptions, risk assessments, and notifications appropriately. OCR
enforcement activity has increased in the last few years, and many of the
settlements published on OCR’s website have resulted from investigations
originating with one or more breaches.[viii] This year, OCR issued its
first settlement arising from late breach notification (just one month
late!) for $475,000.[ix] As of August 31, 2017, the highest OCR settlement
to date is $5.55 million, with a total of almost $73 million collected
through settlements since enforcement began.[x]

Conclusion

The reality is that not all breaches are preventable, but the HIPAA
Security Rule prescribes numerous measures that are designed to instill
good data protection practices in covered entities and business associates.
These measures include facility and software/hardware access security,
malware protection, and employee training.[xi] Among the most important
Security Rule measures as to breach notification are those for encryption
in transmission and at rest.[xii] Data that are encrypted are considered
“secured” and, therefore, not subject to breach notification.[xiii] As OCR
continues to actively enforce HIPAA, covered entities and business
associates alike should reevaluate their compliance with all aspects of
HIPAA, including the breach notification regulations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171109/67efc1e8/attachment.html>