Hacking news at the top of 2015 is driving the Health Insurance Portability and Accountability Act of 1996 (HIPAA) into the limelight. The news – that the second largest insurer in the United States, Anthem, was breached, resulting in the compromise of 78.8 million patient records – makes the HIPAA breach notification rule more relevant.
Many are aware that the Final Omnibus Rule of 2013 modified the law so that business associates are now effectively considered covered entities, but how does that designation apply to notifications? In other words, what does anyone who handles sensitive protected health information (PHI) have to do post-hack in terms of alerting clients, the press, and the HHS?
To answer these concerns, we will look at the expectations for communicating intrusions to affected parties and others, as explained by Elizabeth Snell in Health IT Security.
Basics of the HIPAA Breach Notification Rule
The part of the HIPAA law that is the greatest focus of the healthcare industry is Title II, simply because that section influences the activities of every organization handling health data. The breach notification stipulations mandate that any organization that stores, transfers, or processes patient data must bring any breach to the attention of various individuals and organizations.
Snell provides the example of a medical practice that experiences the theft of a laptop. If the information on the laptop is encrypted, the organization is typically safe: no offense has been committed, since the criminals can’t access the data. However, if there is no encryption in place, “suddenly several hundred patients’ PHI is potentially in criminals’ hands,” she explains. “The healthcare organization in question is required under HIPAA to notify the patients, the Department of Health & Human Services (HHS) and potentially the media.”
One way that the healthcare firm can protect itself – both financially and credibly – is by conducting a risk assessment to determine these details:
- The type of data that was on any breached device or system, along with the probability that a thief or intruder will be able to access it;
- The identity of anyone who accessed or was incorrectly given data, as applicable;
- A determination of whether the data was truly taken and exposed to third parties; and
- Any actions that have been taken to make the patient data less vulnerable.
Healthcare companies and their HIPAA-compliant vendors don’t have to conduct a risk assessment, notes the HHS. It’s just considered a best practice and allows you stronger legal ground.
You should also be aware that it is only necessary to let customers and authorities know about a hack when the PHI is unencrypted. Hacks are of concern to the HHS when they involve data “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.” (Example: Note that Anthem was not storing its records in encrypted form.)
If a healthcare company or any third parties that handle its information does not safeguard confidential records with login credentials and two-factor authentication (2FA), HHS may consider it improperly protected as well. Physical protections should also be considered.
Specific Instructions for Notification
The extent of the breach is critical regarding notification. If the impacted patient population exceeds 500, major media must be contacted, along with the HHS Office of Civil Rights. That action must occur within a reasonable time frame and never beyond two months. It should include the bulleted information described below.
If less than 500 people are involved, the firm can wait until the end of the year to notify the HHS – technically by the end of February for any hacks occurring the previous year.
Although small hacks don’t need to involve the media or be immediately reported to the government, patients must be contacted immediately (60 days, maximum). If contact details are incorrect for more than nine people, the information must be published on the company’s home page for three months. Alternately, the organization can submit information to prominent news media for broadcast.
Breach notifications sent out to affected individuals must contain:
- A short summary of the incident
- Categories of compromised data
- Step-by-step instructions so that patients can avoid problems related to the stolen data
- A rundown of the procedure the company is following to assess the damage, reduce vulnerability, and prevent attacks in the future
- Full contact information for the breached company
Note that in the case of a business associate, the vendor must contact the healthcare organization it services as soon as reasonably possible, 60 days maximum.
Operating within Proper Standards
If you experience a hack or any event that potentially compromises data, you need to be able to show the HHS records of your notification process or evidence that demonstrates why the data was not at risk.
There are two forms of evidence you can show to verify that notification did not need to occur:
- The findings of a vulnerability assessment that demonstrates a low likelihood of access and misuse
- “The application of any other exceptions to the definition of ‘breach.’” (De Vivo)
Furthermore, it is critical to have established policies and procedures related to hacks. Your staff must be trained on these parameters as well.
The moral of the story: Be prepared so you can properly protect yourself. Work with an experienced business associate that is HIPAA audited and meets the strict expectations of the American Institute of CPAs. Atlantic.Net offers HIPAA compliant Hosting on SSD Cloud Servers which have a 100% uptime guarantee.