This article provides guidance regarding what to expect, and what you should do, once a Business Associate has notified you of a breach. By now, you should already have a plan in place that helps you respond to this dreaded predicament. However, we know from experience that many of you don't, and even if you do, read on, you may learn something new.
The approach we take in the article is to use the breach notification process as a backdrop to point out a number of "holes" you may have in your HIPAA/HITECH compliance initiative, ones that you are likely not even aware of.
Tracking Security Incidents?
The term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. An attempt qualifies as an incident.
If you are not rigorously tracking incidents, then you can't possibly know when you have a breach. One of the first questions that an HHS auditor is going ask is "show me the system (i.e. the policies, processes and tracking mechanism) your organization uses to track security incident?" If you can't adequately answer this most basic of questions, you may be in willful neglect land five minutes into the audit.
Ok, so let's assume that for the purpose of this article you, as the covered entity, have a state of the art security incident tracking system in place. What we really want to know is "What kind of tracking system does your business associate have in place?" If the answer is "we don't have a clue," then may the HIPAA gods help you if it turns out that in fact, despite "catching" this incident, there is no business associate system in place at all.
How Do You Know It's a Breach?
In order to determine whether Breach Notification is triggered you need to follow a methodology that is mandated by the Breach Notification Rule ("Rule"). Although the Rule contains a basic methodology that is inherent in its text, it is not presented as such in the regulations. HIPAA/HITECH remain descriptive as opposed to prescriptive. That is, the regulations inform you as to what is required, but have very little (mostly nothing) to say about how you should go about complying.
The methodology consists of a three part analytical framework which we turn our attention to next. Although the framework only consists of three parts, it is significantly more complex than it first appears.
SIgnup for our FREE Newsletter or wait until it appears in the archives to read the rest of the article.
Although the evidence is becoming overwhelming regarding the cost of non-compliance, many covered entities remain confused as to how to quantify the risk. Given the cost of a Data Breach, you would think that this calculation would be a "no brainer," but you would be wrong. Why? Because human nature being what it is, many C-Suite executives are simply in denial or misinformed. They want to believe that they are doing OK and that the worst won't happen to their organization.
So how do we measure the risk, especially of an event that appears to be unlikely?
Risk = Probability x IMPACT
In the past the probability of something "BAD" happening as a result of HIPAA non-compliance was close to zero. Why? Because prior to the HITECH Act, HIPAA was an unenforced paper tiger. There was no fear or concern and none was warranted. All the "insiders" knew HHS' dirty little secret and acted accordingly. That all changed with HITECH. We now know that the impact of a major breach is HUGE! The impact may include:
Stiff fines from HHS
Multi million dollar notification costs
Lawsuits from State AGs
Class action suits
If you still believe that the impact is small then you have been asleep at the wheel, and it is likely that your organization will be the next to make news. No, most C-Suite executive now understand the impact. However, they also likely believe that the probability part of the equation is small. The question is:
What is the probability of getting caught?
The answer is that it is becoming more probable every day. Here are some scenarios sure to get you caught in descending order of probability:
Your organization will experience a breach;
Your organization will have a patient complain & the nature of the complaint will show "willful neglect;"
Your organization will be randomly audited.
The probability of all three scenarios is growing. We will explore the reasons this is true in subsequent posts.
The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach.
We have written previously that 2012 will be the year of enforcement (see this post). It will also be the year of the data breach. In 2012 State AGs will awaken from their slumber and start going after companies on the wrong side of this issue. They have a statutory right to bring an action under the HITECH Act, and as the link above illustrates they may become increasingly more agressive in bringing actions under state law law well.
In 2012 State AGs will awaken from
their slumber and start going after
companies on the wrong side of
this issue.
The States are starving for revenue and the time is right with cybersecurity now a front and center national issue. You don't need a crystal ball to understand that this is where we are headed in the short run. Therefore, covered entities and business associates are well advised to get their houses in order.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
You know that data breaches (across industries) have made the big time when you are looking at Bloomberg's Businessweek Year in Review issue and this topic is highlighted. Here are some startling numbers:
262,812,546 confirmed number of records exposed or stolen from more than 800 incidents.
37% rise in the number of hacking incidents over last year.
Hacking as the most common breach: 81%
Stolen hardware 4.4%
Virus phishing 2.7%
Lost hardware 2.1%
Other 9.8%
It is unclear where Bloomberg got these numbers. Anecdotally it is surprising to see hacking as the most common breach because in healthcare this does not appear to be the case (yet). Obviously, getting hard/reliable information regarding data breaches will continue to be a challenge, but the problem is big and BIGGER. The "bad guys" are quite sophisticated and will follow the data the leads to money. Healthcare in particular is quite rich from an identity theft perspective.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
This column is about a security incident that my company caused earlier this year. It’s a long and detailed description. I’m confident that those of you have never been through a security incident will find the article tedious. I invite you to read just the ending on lessons learned, or save your hard-earned free time for one of HIStalk’s other excellent columns.
The article above does an excellent job of presenting a "blow-by-blow" (literally in some case) analysis of what it is like to experience, and effectively manage, a data breach (in this case a subcontractor of a business associate). It is a process fraught with complexity and risk, requiring rapid fire decision making and analysis while at the same time collaborating with a host of stakeholders and advisers (e.g. business partners, government agencies, executive management, legal, etc.).
That is one of the reasons that our Model Business Associate Contract requires a covered entity and a business associate to develop a breach communication plan thirty days (you can obviously substitute your own number) after the execution of the contract. When (usually not if in our current environment) a breach occurs you at least want to have some basics in place with respect to a game plan.
Although MAeHC apparently did an excellent job of working their way through these challenges, they were literally inventing the plan as they went. To be clear, some of this is unavoidable, but having a breach notification framework in place before the fact would go a long ways toward providing a degree of sanity in an otherwise chaotic business decision making environment.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?
Our HITECH Breach Notification Webinar gets you up to speed regarding the 800 pound gorilla of the HITECH Act. We walk you through a methodology for determining when notification is triggered, and how to notify patients, HHS, and prominent media according to applicable law. We also discuss the processes you need to have in place in order to track security incidents effectively in your organization. Finally, we review the Costs of Non-Compliance to ensure that you understand the potential risks your organization faces should a major breach occur.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
•Sec. 13403. Education on health information privacy.
•Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.
•Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format.
Slide 2
•Sec. 13406. Conditions on certain contacts as part of health care operations.
•Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities.
•Sec. 13408. Business associate contracts required for certain entities.
•Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.
However, if you really want to understand where HITECH's real teeth lie you will focus on 13402 (Breach Notification). Why? Well for lots of reasons but let me provide a quote from a paper recently produced by the National Research Council (to subscribe go here and review subscriptions in the right hand column).
Another example relevant to cybersecurity is the flurry of privacy breach notification laws adopted in 44 states, led by the state of California in 2002.19 Both public and private entities must notify affected individuals when personal data under their control has been acquired by an unauthorized party. The law was intended to ensure that individuals are given the opportunity to protect their interests following data theft, such as when 45 million credit card numbers were stolen from T.J. Maxx’s information technology systems.20 Breach-disclosure laws are also designed to motivate companies to keep personal data secure. Unquestionably, firms are now more aware of the risks of losing personal information, and have directed more investment in preventative measures such as hard drive encryption (Mulligan and Bamberger 2007).
Breach Notification is the 800
pound gorilla of the HITECH Act
and the one provision most likely
to change behavior...just ask TRICARE.
The title of this paper is "Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy" and it is dealing with cybersecurity from a macro/national perspective. However, the authors' clearly understand that every industry must play a part, especially the financial and healthcare industries. Breach Notification is the 800 pound gorilla of the HITECH Act and represents the one provision that is most like to change behavior.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
TRICARE, the U.S. military health program, has reported a massive breach affecting protected health information for 4.9 million patients in 10 states treated in San Antonio military facilities between 1992 and Sept. 7, 2011.
Despite the fact that the PHI of 4.9 million patients has potentially been compromised, Tricare is apparently not treating this incident as a breach that requires notification because:
The risk of harm to patients is
judged to be low despite the data
elements involved...
The is the very thing that consumer groups (and some legislators) feared would happen when HHS introduced the "harm threshold" analysis into the breach notification decision. At least some legislators (and apparently the White House) had a problem with the "harm threshold" issue (i.e. determined solely by the covered entity) and others claimed that this "harm threshold" was NEVER the intent of the law and that HHS went too far in introducing it into the regulations.
Looks like TRICARE has elected to add fuel to the fire. We believe that this is likely to backfire and to strengthen the hand of those pushing for regulations that could not so readily be side stepped. The State Attorney General in Texas may have the last word on this one and it is likely that HHS will be pushed to do an investigation.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
This post provides a summary of OCR's 2012 budget (see below). From the looks of things, OCR is increasing its spending more in education than in enforcement. Perhaps OCR is relying on the state attorney generals to do the "dirty work" of enforcement. That said, continued PHI breaches such as those announced today may have more to actual enforcement going forward than current budget dollars.
OCR proposes spending more on
education than it is on enforcement.
Looks like the state AG's will have
to do the dirty work.
Overview of Budget Request The Office for Civil Rights requests $46,717,000 in FY 2012, an increase of $5,618,000 over the FY 2010 enacted level of $41,099,000. OCR’s FY 2012 request supports OCR’s activities as the primary defender of the public’s right to nondiscriminatory access to and receipt of Federally funded health and human services. In addition, the budget supports OCR’s significantly expanded compliance responsibilities that protect individuals’ personal health information under the Privacy and Security Rules issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA).
Program increases:
Regional Office Privacy Advisors (+$2.283 million) Section 13403(a) of the HITECH Act requires the Secretary of HHS to designate Privacy Advisors in each of OCR’s ten regional offices to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy and security requirements for protected health information. An increase of $2,283,000 and 10 FTE is requested to fund this responsibility.
Enforcement of the HIPAA Security Rule (+$1 million)This increase will support OCR’s delegated authority for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule). Combining the authority for administration and enforcement of the Federal standards for health information privacy and security called for in HIPAA will improve HHS’ ability to protect individuals’ health information.
Investigation of the HITECH Breach Reports (+$1.335 million)This increase will support OCR’s activities to begin to investigate the HIPAA breach reports received since new regulations mandated by the HITECH Act went into effect on September 23, 2009, and to establish the staffing resources necessary to begin to investigate subsequent breach reports. Section 13402 of the HITECH Act created a requirement for HIPAA covered entities to report to the Secretary any breaches of unsecured protected health information. As of September 30, 2010, OCR has received a total of 9,300 breach reports (191 impact more than 500 individuals and 9,109 impact less than 500 individuals). Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and only investigated if resources permit. Based on OCR’s current HIPAA case load, almost all breach reports that impact less than 500 individuals are not investigated. Accordingly, OCR requires additional FTE and resources to ensure it is able to conduct investigations of potential small- and mid-sized breaches.
Compliance Review Program (+$1 million)This increase will support OCR’s establishment of a compliance review program designed to evaluate, educate, and ensure compliance within a sample of the expanded covered programs and providers each year. OCR anticipates that FY 2012 will be the starting point for a steady increase in civil rights complaints requiring investigation and compliance reviews.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
Many of us that track the healthcare compliance space, especially after the HITECH Act and its corresponding emphasis on electronic health records (EHRs), have suspected that the potential for persistent breaches of PHI on the part covered entities and business associates was signigicant.
This is especially true because the HIPAA Security Rule, which pertains only to electronic PHI (ePHI), had largely been ignored by the healthcare industry (i.e. because EHRs had not been widely adopted). Let's consider some facts based on breach metrics that are widely available. In an article by HIPPA.com the following HHS metrics are highlighted:
As of August 17, 2011, there have been almost 11.6 million individuals impacted by 300 breaches affecting a minimum of 500 individuals per breach. Approximately 3 out of 4 of these breaches involve electronic media, the rest hard copy such as paper or film, and about 18% involve a business associate of a covered entity. In addition, HDM Breaking News on August 3, 2011, reported OCR has acknowledged that from inception of public disclosure in September 2009 through mid-May 2011, there have been 31,000 breaches affecting fewer than 500 individuals per breach, which only have to be reported to HHS annually.
Obviously, these are just the PHI data breaches that have been reported. For a number of reasons it is safe to assume that the number of unreported data breaches could be significantly higher. In short, HHS/OCR are clearly aware that they are sitting on a "ticking time bomb" because as EHRs become ubiquitous so will instances of PHI data breaches unless something is done to curb the tsunami.
That something is aggressive HITECH / HIPAA compliance enforcement, coming soon to a theatre near you. Why? Because in the 21st century world of EHRs, HIPAA as a paper tiger is no longer tenable. HIPAA, after its fifteenth birthday, is finally coming of age.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
This article provides guidance regarding what to expect, and what you should do, once a Business Associate has notified you of a breach. By now, you should already have a plan in place that helps you respond to this dreaded predicament. However, we know from experience that many of you don't, and even if you do, read on, you may learn something new.
Tracking Security Incidents? 
How Do You Know It's a Breach?
