You might think that the answer to that question is relatively straightforward but, like most things HIPAA, you would be wrong. To answer that question you need to apply a three step analytical framework contained within the Rules but not presented in a manner readily understood even by most compliance officers. In this article we will "demystify" the framework but don't get lulled into a false sense of "OK I got this" because the real world application of the framework is far more challenging than what it looks like "in the lab."
The three step analytical framework is comprised of the following questions:
Was there an impermissible use or disclosure of unsecured PHI?
Does one of the exceptions in the definition of Breach apply?
Is there a low probability that the PHI was compromised?
The questions appear relatively straightforward but upon closer scrutiny one discovers the complexity almost immediately. The first question requires answering: (1) whether the Privacy Rule was violated; an exercise that requires its own analytical framework; and (2) whether the PHI in question was "unsecured?" In our Breach Notification Framework we provide a methodology for "walking through" the Privacy Rule in order to determine whether it has been violated. For the purposes of this article the flow chart below serves as a good metaphor for the process.
In other words figuring out whether the Privacy Rule has been violated is not as easy or predictable as one might think. It essentially requires you to "walk through" the general rules located in Section 164.502 in order to arrive at an answer. The same holds true for the second part of question one (i.e. whether or not PHI is "unsecured"). Before you can answer this question you need to know a couple of things: (1) whether or not encryption has been enabled for the PHI in question and what "state" the PHI was in at the time that it was allegedly compromised. The next flowchart depicts this process:
As you can tell, we have not even answered the first question and the complexity has increased significantly from what appeared to be a relatively straightforward question. If the answer to the first question is "Yes" then we know two things: (1) the Privacy Rule has been violated and therefore there is a potential that notification will be triggered; and (2) the Breach Notification safe harbor does not apply because the PHI in question has not been rendered "unusable, unreadable, or indecipherable."
In order to determine if Breach Notification has in fact been triggered then we need to move on to the next question in the framework: "Whether one of the exceptions to the definition of Breach applies?" In order to make this determination you will need to compare the facts in the alleged Breach that you are investigating to the facts contained in the three exceptions. In essence you are being asked to compare your facts against three hypothetical factual scenarios. If your facts fits ones of the scenarios then you just won the Breach Notification lotto, because there is no Breach by definition.
If however, you have not won the Breach Notification lotto then you need to proceed to the third and final question of the analytical framework: "Whether there is a low probability that the PHI in question was compromised?" Here you have several difficulties to overcome: (1) first when you reach this step in the framework there is a presumption of a breach by law; (2) the covered entity has (as one would expect) the burden of overcoming the presumption. In short, you better be able to prove a compelling reason why your organization has determined that there is a low probability that the PHI was compromised. Good luck with that!
There's really nothing to it right? Wrong! Well at least with respect to the "close cases." If you are not sure then seek the advice of counsel. You are well advised to be cautious, prudent and have any decision you make well documented! It goes without saying, if the Breach is large enough you can expect an audit, a class action lawsuit, fines from HHS and, of course, millions dollars of notification costs. It's not going to be a good day.
Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free).
So Ret. Adm. James Stavridis told CNBC on Thursday (12/15), former NATO Supreme Allied Commander, that we are headed for a cybersecurity Pearl Harbor, one that we are ill-prepared for. This is particularly worrisome because the threat level is high and the preparation is low. The $$ quote follows:
The U.S. has a pressing need to bolster its weak cybersecurity in the face of huge breaches like Russia's suspected sabotage of the election system and Yahoo's billion-user hack...It is the greatest mismatch between the level of threat, very high, and the level of preparation, quite low...We're headed toward a cyber Pearl Harbor, and it is going to come at either the grid or the financial sector."
I don't think that it requires a former NATO Supreme Allied Commander to call out the likely threats as: (1) the grid; or (2) the financial sector. These threats are obvious: (1) the first, if taken out, STOPS the economy dead in its tracks; while the second (2) causes widespread panic and perhaps triggers the much anticipated (in some circles) systemic collapse of the world financial markets (i.e. sans the potential for a bailout this time).
I would add that the healthcare industry writ large is third on the list of targets and easily within the top five. This target may be far "richer" than the other two because it could (perhaps) be more readily concealed as an attack from a non-government agent. The first two attacks amount to cyber declarations of war; the third not so much.
What does this have to do with HIPAA? Well everything and nothing. Given the Russian hack that disrupted our election (i.e. true or NOT) and the recent Yahoo breach, cybersecurity is likely something that Trump cannot afford to be cavalier about. In fact, quite the opposite is true. Trump is likely to come out strong on cybersecurity on all fronts or risk be perceived as weak on an important national security issue.
Trump does NOT want to appear weak on anything. He is unlikely, IMHO, to ask HHS to "stand down" on its HIPAA enforcement. Although Trump may eviscerate the EPA, HIPAA is likely to survive any attempts at wholesale deregulation across the board.
Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free).
Description: The webinar explore various attributes of phishing schemes as they pertain to HIPAA.
Thursday, December 15, 2016 2:00 PM - 3:30 PM EST
Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free).