Privacy Breaches


Reference

 

WE’VE HAD A PRIVACY BREACH! NOW WHAT DO WE DO?

We hope you never have to use this Geek Out! page, but the reality is that privacy breaches can occur despite an employer’s best efforts and in the most unexpected ways.1

This material outlines an employer’s legal obligation under HIPAA2 if it, or one of its business associates, suffers an inappropriate use, disclosure or other loss of Protected Health Information (PHI). It assumes an understanding of what constitutes PHI, knowledge of what a business associate (BA) is and general understanding of the obligations of employers, health plans and business associates to protect the PHI in their possession.

The topics covered are as follows:

HIPAA Privacy Breaches – Notification

Obligations of Business Associates

Summary: Steps Before and After a Breach

 

HIPAA Privacy Breaches Background

Prior to passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), the rules regarding the handling of a privacy breach were only broadly set out. The law applied only to health plans; the latter were required to secure the compliance of their business associates through their business associate contracts. The privacy rules required efforts to mitigate the consequences of a breach (to the extent practicable), but left the details of those efforts to the judgment of the covered entity. Congress passed HITECH, in part, to address inconsistency and uncertainty in how the rules were applied. In doing so, it:

What Constitutes a Breach?

HITECH defines a breach as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Under the HITECH rules, any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or BA can demonstrate that there is low probability that the PHI has been compromised (or some other exception applies).3 This immediately leads to the question of what it means for PHI to be compromised. Initially, the government focused on an assessment of whether an individual whose PHI was part of a breach had been harmed and many employers have, appropriately, been relying on that standard. However, the government received much criticism saying that this standard was too narrow, too vague and subject to too much interpretation. In response, the final rule established four factors that covered entities must consider when deciding whether a particular incident compromises PHI:

(1) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

(2) The unauthorized person who used the protected health information or to whom the disclosure was made;

(3) Whether the protected health information was actually acquired or viewed; and

(4) The extent to which the risk to the protected health information has been mitigated.4


With respect to the first (1) factor, the assessment should include:

  • The sensitivity of information;
  • The amount of the information; and
  • The nature of the identifiers and the likelihood that it could be re-identified.

For the second (2) factor, the covered entity should consider:

  • Who used or received the PHI.
  • Whether the recipient had an independent duty to preserve the privacy and security of the PHI.

The third (3) factor requires covered entities to determine if the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.

The final (4) factor requires covered entities to consider the extent to which the risk to PHI has been mitigated. This may include obtaining satisfactory assurances from the recipient of the information that it has been returned or destroyed without further disclosure. The rule suggests that a confidentiality or similar agreement could constitute a satisfactory assurance.

What is “Unsecured PHI”?

HITECH requires covered entities to notify individuals affected by a breach of unsecured PHI. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the government. The only specified methodology is encryption or destruction in accordance with National Institute of Standards and Technology (NIST) guidelines5. This methodology is not intended to be illustrative. It is exclusive and exhaustive.

HIPAA Privacy Breaches – Notification

If a health plan or its BA suffers a privacy breach, the BA and the covered entity must give certain notifications within a specified period time after the date the breach is treated has having been discovered. These notifications will always involve the affected individuals and may include notifications to media and the Secretary of HHS depending on the circumstances.

When Is a Breach Treated as Discovered?

Reasonably Known

The “should reasonably have known” criterion will depend on the facts and circumstances of the breach.

HITECH specifies that a breach shall be treated as discovered by a covered entity or business associate as of the first day on which such breach is known or “should reasonably have been known” to the covered entity or business associate. The Act also specifies that this discovery occurs as soon as any person, other than the individual committing the breach, who is an employee, officer, or other agent of the covered entity (or of the business associate) knows or should reasonably have known of the breach.

If the breach happens to a BA6, and the BA is acting as the agent of the covered entity, the BA’s discovery of breach is imputed to the covered entity so that the covered entity’s obligation to provide notification begins upon the business associate’s discovery and the plan’s notice period will begin running on that date. If the BA is an independent contractor, the plan’s notice period will begin when it is discovered as discussed above. The federal common law of agency will apply to determine who is an agent. Contractual boilerplate language frequently recites that the parties are independent contractors; however, the actual status is determined by the factual relationship between the parties.

When Must Breach Notification Be Given to Individuals?

Covered entities must notify individuals of a breach without unreasonable delay, but in no case later than 60 calendar days from the discovery of the breach, except in certain circumstances where law enforcement has requested a delay. Where a BA that is an agent of the covered entity discovers (or should have discovered) the breach, the 60 days will begin to run from that date.

It is not always immediately obvious whether an impermissible use or disclosure of PHI is a “breach”, i.e., whether it compromises the security or privacy of the information. Regardless, the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete.

Keep in mind that the 60-day period is an outer limit, not a license to automatically take 60 days to respond.

What Information Must Be Included in the Notice?

If notification is required, the following items must be included in the notices to the extent possible:

(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

(2) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

(3) Any steps individuals should take to protect themselves from potential harm resulting from the breach;

(4) A brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches; and

(5)  Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, web site, or postal address.

How Must Notice Be Delivered?

HITECH requires breach notifications to be sent by first-class mail at the last known address of the individual or next of kin if the individual is deceased, or by electronic mail if specified as the preferred method by the individual. Notification may be made in multiple mailings as information becomes available.

If the plan does not have accurate or current contact information, substitute notice must be provided.

  • If there are fewer than 10 individuals for whom substitute notice is required, the plan may notify individuals through an alternative form of written notice, by telephone7, or other means reasonably calculated to reach the individuals.
  • If substitute notice is required for 10 or more individuals, the plan may provide it through either a conspicuous posting for a period of 90 days on the home page of its web site or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. Which media to use must be determined on a facts and circumstances basis, but be designed to reach the geographic areas where affected individuals are likely to reside. The plan must also have a toll-free phone number, active for 90 days, where an individual can learn whether his or her PHI may have been included in the breach and to include the number in the notice.

In some cases, a BA who suffers the breach will have undertaken to discharge the plan’s notice obligations. Regardless, the plan remains responsible for the notices, and therefore, should monitor its BA closely.

When Must Notice Be Provided to the Media?

A plan must provide notice of a breach to prominent media outlets serving a State8 or jurisdiction, following the discovery of a breach if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. This media notice is in addition to, not a substitute for, individual notice.

The selection of an appropriate prominent media outlet will depend on the geographic extent of the breach. For a breach affecting more than 500 individuals across a particular state, a prominent media outlet may be a major, general interest newspaper with a daily circulation throughout the entire state. In contrast, a newspaper serving only one town and distributed on a monthly basis, or a daily newspaper of specialized interest (such as sports or politics) would not be viewed as a prominent media outlet. Where a breach affects more than 500 individuals in a limited jurisdiction, such as a city, then a prominent media outlet may be a major, general-interest newspaper with daily circulation throughout the city, even though the newspaper does not serve the whole State.

Note that media notification is not required if it does not affect more than 500 individuals in a single State even if it affects more than 500 individuals in the aggregate. For example, if a breach affects 300 persons in State X and 400 in State Y, media notification is not required in either state. If a breach by a BA affects more than one plan in a particular State, media notification is not required if no more than 500 individuals in any given plan are affected. For example, a third party administrator has a breach that affects 700 persons in a given state. Three hundred persons are covered under a plan sponsored by Employer A and four hundred are covered under a plan sponsored by Employer B. Neither plan is required to notify the media.

When Must Notice Be Provided to the Secretary of HHS?

Plans must notify the Secretary of all breaches of unsecured protected health information. Breaches affecting 500 or more individuals must be reported to the Secretary concurrently with the required individual notices.

Distinguish the obligation to notify the media, which is triggered by breaches affecting more than 500 people in a given State, with the obligation to promptly notify the Secretary which is triggered by breaches affecting more than 500 people, regardless of where they live.

For breaches affecting fewer than 500 individuals, plans may maintain a log of all such breaches occurring during the year and annually submit it to the Secretary.

See the HHS web site for information on how to submit breach notification to the Secretary.

Obligations of Business Associates

A business associate of a plan must notify the plan when it discovers a breach of the PHI that it handles. Notification must be given without unreasonable delay and in no case later than 60 days from discovery of the breach. Additionally, BAs must provide covered entities with the identity of each individual whose unsecured PHI has, or is reasonably believed to have been, affected by the breach.

The discovery rules for BAs are the same as those for a plan. As with plans, a BA may uncover details about a breach in various stages. However, the BA may not delay notification to a plan simply because it is still gathering information.

Summary: Steps Before and After a Breach

Steps Employers Should Take Now (BEFORE a Breach)

  1. Timing is critical when responding to a breach. After a breach is not the time for people within your organization to learn about the Privacy Breach Rules. Appoint a person or persons whose job it is to understand the rules and develop a response plan.
  2. Determine which, if any, State laws apply to breaches of PHI and what their requirements are.
  3. Know what PHI you have and where it is. This will help avoid your nightmare scenario (e.g., a file box has been stolen out of storage; you’re pretty sure that the box contains unsecured PHI, but you don’t whose it is or what it included).
  4. Make sure that the breach review process includes an assessment of the four factors required by the rules.
  5. Make sure that all employees understand the importance of reporting breaches and the process for reporting them.
  6. Assess the feasibility of rendering PHI unusable, unreadable or indecipherable in accordance with government standards and implement accordingly. If for some reason you find it infeasible, rethink it from time-to-time.
  7. Make sure that all business associate (BA) contracts contain appropriate language regarding the BA’s obligations in the event it suffers a breach.
  8. Know which of your BAs are your agents and which are independent contractors.
  9. In certain instances, a breach may trigger mitigation obligations. In cases where the breach includes social security numbers, birth dates or other information that could place an individual at risk of financial fraud, a more or less standard mitigation offering involves credit monitoring and/or identify theft insurance. Entities that maintain large amounts of PHI (either directly or through their BAs) may find it expedient to arrange for the availability of these products in advance.

Steps Employers Should Take AFTER a Breach

  1. Collect all available information.
  2. Apply the four factor test to determine whether the privacy and security of the PHI has been compromised.
  3. Determine when the notification begins to run. If a business associate suffers the breach, determine whether the BA is an agent or independent contractor for notification timelines. Review the language of the Business Associate Agreement to determine the BA’s contractual obligations.
  4. Prepare and deliver breach notifications. In some cases, it may not be possible to obtain all the information required for the notification. Notification should nevertheless be sent with follow- up notifications as more information becomes available.
  5. Establish a process to determine whether substitute notice is required for 10 or more persons.

    6. Notifying HHS

    Covered entities must report breaches to HHS by completing the online breach notification form. TooltipBAs are allowed to file on behalf of covered entities and covered entities may file on behalf of BAs.

  6. Prepare and deliver, publish and/or broadcast substitute notice as required.
  7. Determine if notice to the media in a given State is required because the breach affects more than 500 residents of that State.
  8. Determine if immediate notice to the Secretary of HHS is required because the breach affects more than 500 people.
  9. Maintain a log for annual reporting to the Secretary of breaches affecting 500 or fewer persons and submit it to the Secretary within 60 days after the end of the year in which the breach is discovered.
  10. If a BA is contractually obliged or has otherwise agreed to discharge some or all of these notice obligations, monitor the BAs performance. The plan remains liable for delivering the notices regardless of its arrangements with a third party.
  11. Determine whether any additional mitigation efforts are required to prevent any harm to the individual. Keep in mind that the concept of “harm” in this context extends beyond financial losses.

Footnotes

[1] We are aware of one situation where an employer with a self-insured health plan sent an employee’s medical records to a physician for external review of a claim. The doctor’s spouse visited his office and, seeing the records lying around, used the back side of them to print out Groupons which she then used at various locations throughout the community.

[2] Most of the States have also passed legislation imposing certain notice obligations that may apply when there has been a breach of PHI or other personally identifiable data. Discussion of those laws is beyond the scope of this material.

[3] Note that even a disclosure of PHI that would otherwise be alright but for the fact that the amount of information disclosed exceeds the amount permitted by the “minimum necessary” rule may qualify as a breach.

[4] This is not an all inclusive list; depending on the circumstances, additional factors may have to be considered.

[5] These can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

[6] 45 C.F.R. §164.404(a)(2), 164.410

[7] Keep in mind the privacy issues that may be implicated when speaking to a person other than the affected individual.

[8] The term “State” includes the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa and the Northern Mariana Islands.