HIPAA and Data Breaches

Travis Good, MD

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

April 14, 2016  |  HIPAA

One of the most important aspects of HIPAA has nothing to do with technical security like encryption, backup, logging, or any of other requirements for securing data. What’s important is what happens in the case of an unauthorized disclosure of ePHI, or a breach of ePHI. A breach is defined as unauthorized exposure of ePHI or disclosure that’s not authorized or allowed under the HIPAA Privacy Rule. The breach rules were amended in 2013 as part of the HITECH Act.

HITECH Act Sec. 13402(b) Notification of Covered Entity by Business Associate states - A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.

The majority of breaches are actually not software breaches. They’re not hacking into a system that causes the unauthorized disclosures. Breaches affecting over 500 records are published by CMS. You can see there’s a searchable database of breaches that have occurred, how many records were affected and the type of breach. The vast majority of breaches are hardware breaches. The majority, if not almost all of the breaches, seem to happen because of employee carelessness. It seems like it’s almost always a contractor’s laptop, often at the VA, that’s been unencrypted and has been storing tons of patient records. The laptop is stolen from a car or a house or a coffee shop or an airport or whatever.

“Hacking/IT Incident” only accounts for 68 breaches, a relatively small number. There is great potential to have a breach with a malicious hacker breaking into a private network or any sort of cloud storage, especially public cloud. This potential has fueled much of the slow pace of moving ePHI to the cloud.

There are ways to mitigate that risk – and that is why we created Datica – but the important thing when it comes to a breach is actually having a process in place that details the steps to take in case of a breach. How do you assess what information was exposed in an unauthorized way and then how do you go about notifying relevant parties of that breach? The necessary notifications include anybody from the actual patient whose medical record was exposed, to the media, covered entities, and business associates. The notification policy should lay out plans for forensics to discover the extent of the breach and the cause of the breach. There is typically a chain of command that is outlined in a breach notification strategy that lays out, in detail, who is responsible for different aspects of notification and mitigation. The rules also put the burden on the business associate “of demonstrating that all notifications were made as required” by HIPAA.

The policies should be consistent with what is in the requirements of a business associate agreement in as it relates to the timing to report a breach. HIPAA requires notification of a breach “without unreasonable delay” but allows, at a maximum, 60 days to report a known breach. Most covered entities we’ve worked with want that timeline to be much shorter, and the range we usually hear is somewhere between 24 hours and 5 days. This can be a sticking point in business associate discussions. Some hosting providers have polices in place for breach reporting that are 30 days, 45 days, or even 60 days out; this is not typically inline with what a hospital, payer, or another large healthcare enterprise would expect from a business associate agreement and a breach policy for a business associate that they are working with. Despite the 60 day window, HIPAA rules also go on to require “evidence demonstrating the necessity of any delay.” If it takes 60 days, there have to be reasons given for that delay.

Breach policy and breach notification are things that are extremely important. There are templates for breach notification, but the policy alone does not mitigate risk. There needs to be an understanding within the organization, business associate, or covered entity of what a breach is and what the breach policy is. There also need to be auditing and logging and other systems (IDS) in place to detect and investigate a breach. Detecting the breach is often the challenge which is why having a comprehensive audit log is necessary and, more importantly, being able to generate alerts off the log is critical. Look for something from us to help you address this problem shortly.

At Datica we have both a breach policy and a breach checklist that we can follow in the case of a breach. We’ve mock tested this policy and checklist to assure it makes sense and all relevant workforce members understand their roles. If you want to learn more about our policies for handling breaches, please just ask.