[BreachExchange] When Does a HIPAA Breach Exist?

[Audrey McNeil]

https://www.jdsupra.com/legalnews/when-does-a-hipaa-breach-exist-24146/

Conducting HIPAA Breach Risk Assessments

The HIPAA rules relating to assessment of potential patient confidentiality
breaches were changed in 2013.  Specifically, on January 17, 2013, the
Office of Civil Rights released new regulations defining when a HIPAA
breach is deemed to occur.  These regulations recast the steps that covered
entities are required to take when they learn of potential HIPAA
infractions.

The existence of these regulations is not particularly newsworthy in 2018.
They have after all, been around since early 2013.  What is significant
about these regulations is that many providers have not updated their
process for assessing potential breaches to bring them in line with the new
regulations.  Even where process has been updated, some individuals within
the organization may not understand the process or the subtle but
significant changes the 2013 regulations made.

Information-Focused Risk Assessment Process

Before I get into the weeds of HIPAA breach assessment, I want to point out
the main change made in 2013.  This is where many policies fall short and
require updating.  The change involved a refocus of the risk assessment
from the potential negative impact on the patient whose information is the
subject of the potential breach, to the risk of compromise to the
information itself.  A potential breach is not considered to be a breach if
it is determined, through performance of a risk assessment, there is a low
probability of compromise.

Previously, probability the patients would be damaged was the focus.  This
standard gave significant latitude to permit determinations that a breach
did not exist.  For example, let’s say a disc containing records from a
knee examination are sent to a wrong address.  Assuming the recipient has
no idea who the subject of the information is and that no financial or
information permitting identity theft is on the disc, it could be logical
to conclude there is a low probability of compromise and no breach.

The same facts could result in a different result under the current,
information-focused risk analysis as there would be a much greater
likelihood of compromise of the information.  A recipient at the wrong
address could easily access the information and see that the patient has a
really messed up knee.  Every situation has its subtleties and I don’t want
to automatically conclude that a breach exists under the current assessment
standard.  But the example highlights the possible shift in outcome
applying the information-centric assessment.

Steps to Conduct a HIPAA Breach Assessment

HIPAA Violation vs. HIPAA Breach.  A good point of departure for explaining
the breach rules is to distinguish between a HIPAA violation and a HIPAA
breach.  Not every HIPAA violation amounts to a breach.  At the same time,
all breaches include a HIPAA infraction as a necessary element.  At least
from the perspective of HIPAA, no breach can exist if there has been no
violation of HIPAA.  If a use or disclosure is permitted under an
applicable exception to the HIPAA privacy mandate, there can be no breach
created by a release within the scope of that exception.  There could still
be penalties for the applicable violation.  But the breach disclosure and
notification rules would not apply if no “breach” resulted from the HIPAA
violation.

Specific Exceptions to Breach.  There are also three specific exceptions
that result in an impermissible violation of HIPAA not considered to be a
breach.  Each of these three exceptions to breach have a variety of
specific requirements.  The three exceptions are broadly described as (i)
unintentional acquisitions, access, or use, (ii) certain inadvertent
disclosures, and (iii) disclosures where there is a good faith belief the
party receiving the information would not be able to retain it.  These
situations might still violate HIPAA, but would not be considered
“breaches.”  Keep in mind when assessing the applicability of an exception
the covered entity has the burden of proving that all elements of the
exceptions being relied upon are met.  The facts you rely upon and the
reasonableness of your conclusions, with full cognizance that you carry the
burden, should be well documented before you can rely on an exception to
breach.  If you are confident an exception is supported, document it
carefully and completely.

Summarizing the First Two Assessment Steps.  Considering the information
provided in this article thus far, we can begin to see the first two steps
applicable to assessing whether a HIPAA breach situation exists under a
specific set of facts.  Step one is to determine which violation of HIPAA
Privacy or Security rules occurred.  If no such violation occurred, there
can be no breach.  End of analysis.

The second step is to ascertain whether one of the three specific
exceptions from breach is applicable.  If an exception applies, there is no
breach.

Now for a third step in the process.  Encryption.  This concept applies
when the potential breach occurred with regards to protected health
information that was in electronic form.  Electronic information is
normally the most susceptible to further compromise because it can be
easily moved around the world and/or to a broad population.  Electronic
information that meets encryption standards is not subject to the same
level of potential vulnerability.  For this reason, if you can clearly
establish the lost information was properly encrypted, no breach would have
occurred.  Let’s take for example patient files that are burned to CD.  If
the information or disc is properly encrypted, no breach occurs when or if
the disc is lost or stolen.  Encryption present.  No Breach. Assessment
over.

Breach Risk Assessment – Probability of Compromise.  Assuming you have gone
through the steps described above, your breach assessment is still active.
You may still be looking at a potential breach situation.  There is one
more step to the analysis, and this step is the most difficult.  Let’s call
this the “low probability” step.  This step derives from the changed
definition of breach contained in the 2013 regulations.  The regulations
define a breach as an “acquisition, access, use, or disclosure” that
“compromises the security or privacy” of the applicable protected health
information.

As I pointed out earlier in this article, the “compromise” standard was one
of the most significant changes made by the 2013 regulations.  It is also
the source of the most confusion.  To review, before 2013, the focus was on
the individual whose information was at issue.  A breach only occurred if
the acquisition, access, use, or disclosure posed significant risk of
financial, reputational, or other harm to the individual.  In 2013, the
focus of this part of the analysis was shifted to the information, rather
than the individual.  The assessment now focuses on the overall probability
of compromise to the protected health information.  The end result is that
more violations will now need to be treated as actual breaches.

The 2013 regulations established certain minimum requirements for assessing
the probability of compromise.  A formal risk assessment must be conducted
and must include certain specific factors.  Required factors include (i)
the nature and extent of the protected health information that is involved,
(ii) the types of identifiers included in the information, (iii) the
likelihood the information might be re-identified, (iv) the identity and
nature of the unauthorized recipient (or potential recipient) of the
information, (v) whether any actual access was obtained to the information,
and (vi) the extent to which potential compromise has been mitigated.

Each of these factors must be considered in the context of the impact on
the risk of compromise to the information.  For example, with respect to
the nature of the information involved, specific patient care information
or financial information might place the risk of compromise at a higher
level.  Financial information would seem to greatly enhance the
vulnerability of the information because of the potential for
exploitation.  Consideration of the nature of information does not take
place in a vacuum.  Other available information might be used to
re-identify individuals or increase risk of compromise and should be
considered in conjunction with the nature of the lost information.

If the identity of the recipient is known, the nature and background of the
recipient is also relevant.  There are no black and white rules here, but
it seems logical that if someone with convictions for identity theft
receives the information a greater level of risk is present than if a
health care worker with no negative background is the recipient, who
promptly and voluntarily comes forward to report finding the information.

In the end, if you believe, based on supported facts there is a low risk of
compromise identified as a result of a thorough risk assessment, you should
still consider the standard of proof required to be met.  The covered
entity always carries the burden of proving the risk of compromise is low.
In fact, the regulations fix a presumption that an impermissible
acquisition, access, use, or disclosure is a breach unless the covered
entity affirmatively overcomes the presumption by demonstrating there is a
low probability that compromise took place.  In effect, this presumption of
breach removes some of the discretion that existed under the old
regulations for covered entities to determine that no breach existed.  With
this in mind, it is critical that any determination you make that a breach
does not exist must be supported by well documented and reliable facts,
expert opinion, verifiable evidence, and well-reasoned analysis.
Additionally, a thorough investigation report should be used to further
support the diligence you took to reach your conclusion.  If any doubt
remains regarding the probability of compromise, it should be resolved in
favor of treating a situation as a breach and complying with the breach
notification rules.

Parting Words.  I will leave you with one parting word of wisdom that has
been acquired by handling a number of potential breaches.  I have found
that HIPAA issues often arise in the most unexpected ways.  The same can be
true of potential compromise situations.  You may think you have examined
and closed all the gaps that could result in compromise.  But you should
never lose sight of a central question.  What happens if you are wrong?  If
the subject information is, in fact, compromised and used for nefarious
reasons in the future, what you consider to be a fairly tight risk
assessment today can take on a different light in the future.  Clearly not
all potential breaches require treatment as actual breaches.  But if a
compromise actually occurs, your assessment is going to appear incorrect,
no matter how much reason went into it.  This underlines the need for a
complete, well supported, and reasonable assessment.  This is not an area
where shortcuts should be taken.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180405/24eaf3a2/attachment.html>