Legal Matters: What Is Involved In Analyzing And Reporting The Breach of Unsecured Protected Health Information?
Have you ever received a notice that your bank account or credit card may have been compromised? Similar reporting rules now apply to protected health information (PHI) held by providers, insurance companies, health care clearinghouses and their business associates. These rules require methods to detect, analyze and notify patients, the U.S. Department of Health and Human Services (HHS) and the news media of breaches of unsecured PHI in both paper and electronic form. This rule is in effect and is enforceable as of February 22, 2010.
What is a breach? A breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA and that compromises the security or privacy of the PHI.
Detecting a breach requires methods to monitor inappropriate access to both paper and electronic records. The breach of paper records is difficult to detect because these breaches are carried out by trusted employees and contractors. There are no records of access and it can be almost impossible to trace.
Detecting inappropriate access to electronic records is a common auditing function that may be monitored by a privacy officer. Surreptitious access outside network firewalls can be much more difficult to detect and can potentially go undetected. These breaches, however, also tend to result in the loss of significant volumes of PHI.
What is not a breach? Not all losses of PHI in violation of HIPAA are breaches. One specifically named exception is the loss of a dataset that equals a HIPAA defined limited data set minus the patient’s date of birth and zip code. While such a dataset may have limited clinical use, its use for certain analysis and research is more common place.
Accidental access to the wrong information by an otherwise authorized individual is also not a breach. This covers situations where a caregiver chooses the wrong patient in a computer search or opens the wrong paper file.
Disclosures where the recipient could not reasonably retain the PHI are also excepted. This is a potentially large category that could include mail sent to a wrong address and returned unopened or where an employee momentarily hands paperwork such as lab results, discharge papers or other information to the wrong patient. On a larger scale, this could include the loss of a laptop containing PHI but, when recovered, it is determined that the information was not accessed.
Not all breaches are reportable. Even if a breach occurs, there are two explicit exceptions to breach reporting.
The First Reporting Exception
A breach of PHI that has been secured is not reportable. Secured PHI is PHI that has been rendered unusable, unreadable or indecipherable to unauthorized individuals. For PHI on paper, this generally means shredding or other methods of destruction.
For electronic PHI, it must be encrypted using technologies discussed in Special Publications 800-111, 800-52, 800-77 or 800-113 published by the National Institutes of Standards and Technology. The technologies discussed in these publications cover encryption of both data at rest, such as PHI residing in databases, as well as data in transit, such as data traveling within a network or outside network firewalls. Fixed media that is retired from use must be wiped or destroyed as provided in Special Publication 800-88. Implementation of some of these technologies is no small feat. Most current systems are not designed for use of encryption either at rest or in transit within a network.
It is very important to understand, however, that the HIPAA breach reporting rule does not require encryption of data at rest or in transit within a network. Doing so in compliance with the rule, however, exempts a provider or business associate from reporting the breach.
It is also important to distinguish encryption as a means of compliance with the HIPAA security rules as opposed to the HIPAA breach reporting rules. While there can be some areas of intersection between the two, the rules are different and should be carefully coordinated.
The Second Reporting Exception.
Even if PHI that has not been rendered unusable, unreadable or indecipherable is breached, it may not always be reportable. After suffering a breach of either paper or electronic PHI there is an opportunity to perform a risk analysis to determine whether the breach poses a substantial risk of financial or reputational harm to the individuals whose data was breached.
For example, reporting may not be required where one covered entity accidentally and inappropriately discloses PHI to another covered entity that agrees to destroy the PHI. Not only is there agreement between the parties, but the recipient is also a covered entity under HIPAA and subject to the same penalties as the disclosing entity.
Besides an analysis of the recipient of the PHI, the actual PHI disclosed may limit the need for reporting the breach. For example, where the data consists of a list containing only patient names and blood type it may be possible to conclude that there is no substantial risk of financial or reputational harm to the individuals.
What is involved in reporting. The regulations clearly set out the timing and content requirements for reporting the breach to individuals. Breaches affecting 500 or more individuals must also be reported to HHS, which posts the information on its website. Breaches affecting fewer individuals must be reported yearly. In addition, breaches affecting 500 or more individuals in a given geographic area must also be reported to the local news media.
What are the costs involved? Costs involved include investigation and correction of the causes of the breach, as well as notifying the individuals affected, HHS and the news media where required. Notifying the individuals typically involves composing appropriate letters, first class mailing, e-mailing individuals in certain circumstances as well as maintaining a toll free number, e-mail address and website for providing more information. It is also not uncommon for entities that suffer a breach to provide credit monitoring for affected individuals.
Estimating the costs for reporting a breach in the healthcare context is very difficult because there is simply insufficient historical data available. In the financial services industry current costs are approximately $204 per record.
Final considerations. As your organization performs any risk analyses or updates it incident response and breach notification policies, keep in mind several complicating factors. First, the HIPAA breach notification rule is in addition to state breach reporting laws. State law triggers usually hinge on loss of an unencrypted social security number or other account identification information.
Second, as entities draft business associate agreements to comply with the new HIPAA regulations, make sure there is coordination on reporting of breaches between covered entities and business associates and address responsibilities and costs related to a breach.
Third, review your insurance policies. Cyber-risk policies are available to cover the costs of breach reporting, however, these policies are complex and separate from standard directors and officers or liability policies. Language in these policies can also contain exclusions that limit coverage and may only protect electronic breaches and not paper breaches, which are both covered by the HIPAA breach notification rule.
Randall E. Sermons, attorney at law, provides legal support for healthcare businesses including regulatory analyses, health information and health information technology as well as general corporate assistance. He may be contacted at firstname.lastname@example.org.