Identifying data breaches may seem like a relatively simple task. However, a number of factors can make breach assessment tricky, and with federal regulators stepping up enforcement of privacy laws, these pitfalls could land providers in hot water.
All forms of inappropriate access to protected health information (PHI) are not necessarily reportable data breaches under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. The flip side is that some vulnerabilities may need to be reported to the Department of Health and Human Services' Office for Civil Rights (OCR), even when there is no solid proof of inappropriate access. Providers need to be aware of these distinctions in order to avoid potentially costly penalties.
The first step in assessing a possible breach is determining whether PHI was exposed. But this is not as easy it may sound. For example, Cris Ewell, chief information security officer at Seattle Children's Hospital, said the loss of a laptop containing PHI would most likely be a breach. But it can be hard to determine exactly how much PHI was lost and therefore understand the depth of the breach, because the clinician who used the device may have routinely added and deleted patient records.
Encryption further complicates matters. The HIPAA Security rule includes a safe harbor exemption for lost devices that are encrypted, so some organizations may feel their breach investigation responsibilities are done once they determine a device was encrypted. But Ewell said the loss of an encrypted laptop may still constitute a breach if the clinician wrote down their username and password on a sticky note left with the laptop. For this reason, breach assessments must continue even when the lost device was encrypted.
"Encryption by itself on a device that doesn't have power is absolutely great," Ewell said. "The difficultly comes in with anything that has power and you have to log in to. It's a good control, but it's not the end-all control."
Changes coming to breach assessments
As if determining whether a reportable breach took place wasn't difficult enough, the standard by which federal regulators will judge security incidents is changing. In September, changes stemming from the HIPAA omnibus rule, published in January, will go into effect. Before the regulation was changed, a reportable breach occurred when PHI for more than 500 patients was inappropriately accessed and when the misuse of this information could have led to real harm to patients. However, the changes put in place following the omnibus rule created a new standard in which regulators will presume risk to patients anytime information is inappropriately accessed, unless the provider can document reasons why harm is unlikely.
Rob Belfortpartner at Manatt, Phelps & Phillips LLP
Rob Belfort, partner in the healthcare practice of the law firm Manatt, Phelps & Phillips LLP, said he feels the new standard creates new ambiguities and increases the burden to providers. The new rule was supposed to make breach assessments more black-and-white by presuming harm to patients anytime PHI is accessed inappropriately. But Belfort noted the preamble to the rule change states that regulators will still look at factors such as the nature of the information disclosed, the nature of the recipient and steps taken by the provider to mitigate the situation. Belfort said all of these considerations sound more appropriate under the old risk-of-harm standard.
"I'm not sure how some of those things relate to the possibility that the information has been compromised," Belfort said. "It shouldn't matter if it was HIV information or just someone's name and address and social security number. If you're moving away from risk to the patient, I don't see why the nature of the information is relevant."
All of this further complicates breach assessments and increases burden to providers, Belfort said. Organizations must do full risk assessments for each breach and, if they determine there is no possibility of harm to patients, document the reasons why.
Documentation is key
Whether talking about the current harm-threshold standard or the looming presumption-of-harm standard, it is important for providers to document every step of their breach assessment process. Should OCR choose to investigate an incident, organizations need to show that they took proactive steps to address the situation.
Alan Avery, chief operating officer at Managed Care Systems LP, which provides administrative support to organizations responsible for providing medical services, said federal regulators will take into consideration the time it takes providers to respond to data breaches when determining whether fines are appropriate. Organizations need to keep extensive documentation in order to show they were proactive in addressing a potential breach.
Avery uses a tool from ID Experts called RADAR to track information related to breach assessment and response. He said it helps him standardize the process and avoid missing steps along the way.
"The challenge was when it happens so rarely, you go through a process of 'how did I do it last time?'" he said. "It was a bookkeeping nightmare trying to figure out how to be compliant without calling your attorney every time."
Belfort said every organization should have some kind of process to standardize data breach response and documentation. Preparation can help providers respond proactively, rather than reacting to every incident.
"If [providers] don't have a formal tool that they're using I would recommend they develop one," Belfort said. "The more you have in place before the breach happens, the better off you'll be after it happens."