Breach Notification Rule. Overview of Breach Notification Rule. 2020, NAAC Unauthorized copying/distribution is strictly prohibited

Breach Notification Rule

Lesson 2D

Lesson 2D Overview

•Overview of Breach Notification Rule

•Evaluating potential breaches

•Duties for covered entities and business associates

•State breach laws

•Ways to protect against breaches

Overview of Breach Notification Rule

What is the Breach Notification Rule?

•Requires covered entities to notify affected individuals, HHS, and in some cases, the news media of a breach of unsecured PHI

•Also requires business associates to notify the covered entities of breaches

What Are Potential Breaches?

•Lost or stolen portable devices with PHI

•Malware attacks

•Posting PHI online

•Snooping

•Misdirected mail, email, faxes, etc.

Copyright 2016 NAAC®

How Breach is Defined by HIPAA

The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI

1 2

3 4

“Presumption Standard”

•HIPAA says any acquisition, access, use, or disclosure of unsecured PHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been

compromised

You must demonstrate why it’s not a “breach”

Here’s How it Works

1. First, you learn about a potential HIPAA violation (e.g., a lost laptop)

2. Gather facts and evaluate whether it is a breach 3. If it is, must notify patients, HHS and potentially the

media

4. If you determine it’s not, just need to document your process

Let’s Break Down the Rule

For a Breach, You Need to Have

1. A violation of the Privacy Rule 2. An incident involving “unsecured PHI”

3. An impermissible use or disclosure that compromises the privacy or security of the PHI

•A “breach” must involve an impermissible use or disclosure of PHI

•Things like incidental disclosures are not breaches since they are permitted by HIPAA

•Example: While providing care and communicating at the scene about a patient, providers are overhead by bystanders

1. Privacy Rule Violation

• If the PHI was not encrypted or shredded

• General rule is if someone could view and read the PHI, it’s unsecured

More on securing PHI later in this lesson

2. “Unsecured PHI”

7 8

9 10

3. Compromises Security or Privacy of PHI

•Must perform a 4-factor

“risk assessment” to determine whether the incident compromises the security or privacy of the PHI

The 4 Factors A. The PHI involved B. The other person involved C. Whether PHI was actually

acquired or viewed D. Extent of mitigation

About the Risk Assessment

•No factor is

determinative, but one factor can be

•Each factor is weighed by looking at the facts of the incident

A. Nature and Extent of PHI and Types of Identifiers

•Probably lower risk

•Invoice information like a date of service, address, name and payer

•Higher Risk

•Medicare ID numbers, SSNs, clinical information, medical history, etc.

B. The Person to Whom Disclosure Was Made

•Almost no risk

•Another covered entity who is covered by HIPAA

•Higher risk

•Non-HIPAA covered individual who inadvertently received the PHI

•Highest risk

•Hacker, thief or someone who might have a motive to misuse PHI

C. Whether the PHI Was Actually Acquired

•Likely No Risk

• ePCR device is recovered and a forensic analysis shows that PHI was not accessed or acquired

•Higher Risk

• We don’t know whether the PHI was accessed or acquired while it was out of our hands

•Highest Risk

• We know someone accessed, acquired, used or disclosed PHI

D. The Extent to Which Harm to the PHI has Been Mitigated

•Were immediate steps taken to mitigate the potential harm

•The individual contacted you right away

•The email was able to be recalled from the encrypted server

•The other party confirmed, in writing that it destroyed the PHI immediately

13 14

15 16

Your Risk Assessment Must . . .

•Be completed in good faith

•Have reasonable conclusions

i.e., Look at your conclusion from the perspective of OCR who is looking out for the patient

May Skip Risk Assessment

•A CE or BA may decide, without going through a risk assessment, to provide breach notification

•e.g., if a laptop was stolen from an employee’s car and it appears you will never retrieve it

1. Unintentional Acquisition, Access or Use 2. Inadvertent Disclosures to Other Authorized

Parties

3. Disclosure Where Retention Not Possible

Finally, Look to See if a Breach Exception Applies

1. Unintentional Access, Acquisition or Use

•Not a breach if:

•Made in good faith,

•Made within the scope of employment, and

•Does not result in further improper use or disclosure

Unintentional Access, Acquisition or Use

•Example:

In preparation for a Q/A meeting, Chief Wilson opens a file containing what he believes to be de-identified statistical trip data for XYZ Ambulance. But, when he opens the file, he discovers that it contains PHI for patients transported during the previous year. He closes the file, renames it, and saves to the proper location on the computer.

2. Inadvertent Disclosures to Other Authorized Parties

•Inadvertent disclosure by a person who is authorized to access PHI to another person authorized to access PHI at the same agency is not a breach if PHI is not further used or disclosed in a manner not permitted by HIPAA

19 20

21 22

Inadvertent Disclosures to Other Authorized Parties

•Example:

EMT Smith accidentally pulls up the record of John Adams instead of John Q. Adams. After looking through the medical history for John Adams and relaying it to his partner, Smith realizes he has the incorrect record and was sharing PHI from the wrong patient with his partner. The information is not shared with anyone else.

3. Disclosure Where Retention Not Possible

•If you have a good faith belief that an unauthorized person to whom disclosure was made would not reasonably have been able to retain the PHI

•How long the individual had it in his/her possession

•Any opportunity they may have had to download or copy it

Disclosure Where Retention Not Possible

•Example:

Paramedic Carter drops a paper face sheet while walking outside of the ER. A hospital visitor sees him drop it and immediately picks it up, returns it to Carter and says, “You just dropped this.”

Ok, you’ve determined the incident is a Breach. Here are

your duties…

General Requirements:

•Following the “discovery” of a breach CE must notify:

•Each individual whose unsecured PHI has been, or is reasonably believed to have been, breached

•HHS

•The news media when the breach is affects 500 or more patients of the same jurisdiction

“Discovery” of Breach

•Breach is treated as

“discovered” by CE on first day that breach is:

•Known to CE

•Or should have been known by CE

25 26

27 28

Should Have Known

•CEs must have ways to discover breaches and can’t ignore signs of breaches

•Must train workforce to report

•Investigate complaints or suspicious activity

•Must have a breach reporting procedure

•If you don’t, your discovery date becomes the date you should have known about it

“Discovery” of Breach

•CE is deemed to “know”

about the breach if any workforce member or agent of the CE knows about it

•Does not include the person who committed the breach

Discovery Date if The Breach Occurred at Your Business

Associate

•Generally, a CE has

“discovered” a breach once the BA has notified the CE of the breach

•i.e., notification from the BA to the CE starts the clock running for the CE to notify

Business Associate Breaches

•But, if a BA is acting as an “agent” of the CE, the date of the BA’s discovery is the date of the CE’s discovery

•i.e., the date the BA discovers the breach starts the clock running for the CE to notify

When You Must Notify

•Notice by CE to affected patients must occur without unreasonable delay but in no case later than 60 calendar days after discovery of the breach

•HHS: 60 days is the “outer limit” and notification should occur once all relevant information is obtained and the determination has been made

Law Enforcement Delay

•If law enforcement official tells CE that notice to the patient would impede a criminal investigation, then CE shall:

•Delay notice for time requested if the statement from law enforcement is in writing

•Delay the notice temporarily, no longer than 30 days, if it is oral statement (and document the statement)

31 32

33 34

Content of Breach Notice

(Covered Entities)

Notice to Affected Individuals Must Contain These 5 Things . . .

•Brief narrative about surrounding circumstances including:

• Date of breach

• Date of discovery (if known)

•Avoid names of workplace parties involved if unnecessary and information about other affected parties

1. Description of Breach

•List and describe types of PHI involved in breach:

•e.g., “Your full name, SSN, DOB, home address, account number, condition were contained on the stolen laptop device.”

•List only the type - e.g., do not list the patient’s actual SSN in the notice

2. Description of Type of PHI

•List any steps that may help individuals protect themselves from potential harm from breach such as:

•Recommendation that individual contact credit bureaus and/or obtain credit monitoring services

•Recommendation that individual file police report

3. Steps Individual Should Take

•Describe what CE is doing (or has done) to investigate the breach, mitigate harm to the individual, and protect against further breaches such as:

•Notified the police

•Changed procedures

•Updating security

4. What the CE is Doing

37 38

39 40

•Must include either:

•Toll-free telephone number

•Email address

•Web site, or

•Postal address

5. Contact Procedures to Learn More Information

Breach Notice to Affected Individuals

Form of Notice

•Written

•No page limitation

•Plain language

Sample Individual Breach Notice in CAPO Resource Materials

Method of Notice to Individuals

•First-class mail to last known address

•Email if the individual agrees to receive email notice

•Notice may be provided in one or more mailings if new information becomes available after the initial notice

Minors or Incapacitated Persons

•If individual is minor or lacks legal capacity due to physical or mental condition:

•Notice to parent, legal guardian, or

•Other personal representative

Deceased Persons

•If CE knows that individual is deceased, notice should be sent to last known address of:

•Next of kin, or

•Personal representative

•If you don’t have contact information for the next of kin or personal representative, no action is necessary

43 44

45 46

Bad Contact Information

•If CE has insufficient or out-of-date contact information (address) for some or all affected individuals, CE must provide substitute notice

Substitute Notice 10 or More Individuals

•If CE has bad contact information for 10 or more individuals:

•Conspicuous posting for 90 days on home page of website of CE or

•Conspicuous notice in major print or broadcast media in geographical area where affected individuals likely to reside

Substitute Notice Fewer Than 10 Individuals

•Use whatever you have

•Email address, phone number, etc., use that

•If not, document that you don’t have anything

Urgent Situations

•If possible imminent harm to individual, you may provide notice by telephone or other appropriate means in addition to written notice

News Media Notice

News Media Notice

•Breach involving more than 500 residents of a single state or jurisdiction

•Must provide notice to prominent media outlets serving the state or jurisdiction

49 50

51 52

News Media Notice

•Must be provided to news media “without unreasonable delay” and no later than 60 days

•Must contain same information as individual notice

•In addition to individual notice

HHS Notice

General Rule

•CEs must notify HHS of all breaches regardless of the size of the breach

•Submit all information on HHS’s website

(Link to Report Breaches in CAPO Resource Materials)

Breaches Involving 500 or More Individuals

•CE must send notice to HHS at the same time it sends out individual notice

•All breaches involving 500 or more

•Doesn’t matter if the individuals are from a single state or jurisdiction like it does for media notice

•HHS posts these breaches online on public list

Breaches Involving Less Than 500 Individuals

•Must submit information to HHS annually within 60 days of the end of the calendar year in which the breach occurred

Breach Notification Duties of Business

Associates

55 56

57 58

General Rule – Business Associates

•After discovery of a breach of unsecured PHI, must notify covered entity of the breach without unreasonable delay but no later than 60 days

•Note: BAs have no reporting obligations to individuals, the media or HHS under HIPAA. But look to see if BA contractually agreed to perform breach notice.

Must Provide to Covered Entity . . .

•Identity of each individual whose unsecured PHI has been, or is reasonably believed to have been, breached

•Any other available information that CE is required to include in the individual notice to affected individuals

State Breach Laws

All States Have Breach Laws

•Laws vary from state to state, check with local legal counsel

•Many state laws do not apply specifically to PHI

•But, if the breach involved information covered by the state law, then you may have additional breach notice obligations under state law

State Breach Laws

•If HIPAA breach notification rules are more stringent than state law, compliance with HIPAA’s breach notification rules should satisfy the state law requirement

•But, if the state law is more stringent, you must comply with it in addition to HIPAA

Examples of State Laws

•California (CA Health and Safety Code §1280.15)

•For breaches of medical information, the entity must provide notice to patients and the CA Department of Public Health within 5 business days

•New Jersey (N.J. Stat. § 56:8-163)

•For breaches involving “personal information,” the entity must first report breach to NJ State Police

61 62

63 64

Ways to Protect Against Breaches

Secure Your Data!

•REMEMBER, breach notification is only required for

“Unsecured PHI”

HHS Guidance on Securing PHI

•HHS published guidance and if you secure data in accordance with guidance, it’s not a “breach”

•HHS’s Website:

http://www.hhs.gov/ocr/privacy/hipaa/administrati ve/breachnotificationrule/brguidance.html

HHS Guidance on Securing PHI

• 2 methods for rendering PHI “secure”

1. Proper encryption or destruction of e-PHI 2. Proper destruction of hard copy PHI

Securing Electronic PHI

•HHS recommends encryption across all data states according to NIST standards:

•Data in Motion (email)

•Data at Rest (servers)

•Data in Use (using file)

•Data Disposed (discarding electronic devices)

Securing Paper, File, or Other Hard Copy PHI

•Must be:

•Shredded, or

•Destroyed

Such that the PHI cannot be read or otherwise be reconstructed

•Redaction is not an appropriate method to secure paper PHI

67 68

69 70

Maintaining Paper PHI

•Paper PHI can’t ever be “secure”

•Convert it to electronic format (i.e., scan it), then encrypt the electronic files

•Shred paper copies

•Physical safeguards like locked rooms and file cabinets

Let’s Summarize . . .

Legal Duties of CEs and BAs

•Covered entities must notify:

•Affected patients

•HHS

•Potentially the news media

•Business Associates must notify:

•Covered entities

Elements of a Breach

•“Unsecured” PHI

•Violation of Privacy Rule

•An incident that compromises the security or privacy of the PHI, as determined through a Risk Assessment

Individual Notice

•CE must make breach notice to affected individuals without unreasonable delay but in no case later than 60 days after discovery

•First class mail

•Substitute notice if you have bad contact information

Media Notice

•Media notice is required for breaches involving 500 or more residents of a single state or jurisdiction

73 74

75 76

HHS Notice

•All breaches

•Less than 500 affected – 60 days after end of year in which breach occurred

•500 or more – at the time individual notice is sent

Breach Notification Rule

Lesson 2D

79 80