Breach Notification

Breach Notification Times

HIPAA Breach Notification Reporting Times

HIPAA Breach Notification Reporting Times In a recent article I broke down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, into what the Department of Health and Human Services (HHS) requires Covered Entities (CEs) AND their third-party vendors, what to do in the event of a breach of unsecured protected health information (PHI). Today I am going a step deeper into the rule in order to help you understand the requirements for the HIPAA breach notification reporting time.  Time is on My Side Today, it is all about HIPAA Breach Notification requirements when it comes to time. Although The Rolling Stones said “Time Is on My Side” the truth is when an organization experiences a healthcare data breach, time is NOT on their side!! That’s because the clock starts ticking the moment an incident is detected. It doesn’t matter who finds it, the time is still the same. How Much Time Do You Have? The HIPAA Breach Notification Rule states an organization must provide notification without unreasonable delay and in no case later than 60 days following a breach. HHS is NOT the only game in town when it comes to reporting breaches; there are also state rules that need to be followed. To make matters more confusing each state has its own. That’s right there are 50 different state Breach Notification Rules. I found this handy link provided by Davis Wright Tremaine LLP., it allows you to select your state of choice for a summary of data breach notification statutes for that state. https://www.dwt.com/gcp/state-data-breach-statutes The HIPAA Breach Notification Rule states an organization must provide notification without unreasonable delay and in no case later than 60 days following a breach. HHS is NOT the only game in town when it comes to reporting breaches; there are also state rules that need to be followed. To make matters more confusing each state has its own. That’s right there are 50 different state Breach Notification Rules. I found this handy link provided by Davis Wright Tremaine LLP., it allows you to select your state of choice for a summary of data breach notification statutes for that state. https://www.dwt.com/gcp/state-data-breach-statutes This Includes Third-Party Vendors Too It is all about HIPAA Breach Notification Time, yours, and your third-party vendors. CEs use Business Associate Agreements (BAAs) to identify notification timeframes for acting once a breach is discovered. Here are some examples you should consider if a breach is discovered at your organization, or if you are notified of a breach by one of your vendors or partners, do you know your breach notification times? Things to consider when evaluating your BAAs: If you are a CE, does your patient population encompass multiple states? Do you know what the breach notification times are for each state? If you are a third-party vendor, is the breach notification time the same for all your clients and subcontractors? Almost every week there is a new story that involves a third-party healthcare data breach. Some of the biggest ones are making the news as I wrote this article. Remember, the breach notification time clock starts ticking the moment a breach is detected and it doesn’t matter who finds it, the time is still the same. That means you’ll want to evaluate your BAAs to verify they are in compliance with both state and federal regulations.

HIPAA Breach Notification Rule Enforcement

HHS is Not the Only Federal Agency Enforcing HIPAA Breach Notification Rule This week I am breaking down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, directly from Health and Human Services (HHS). HIPAA Breach Notification Rule requires hospitals, insurance companies, healthcare providers and their third-party vendors provide notification following a breach of unsecured protected health information (PHI). But… Who Else is Watching Where Patient’s Information Goes The Federal Trade Commission (FTC) also enforces the Health Breach Notification Rule, when certain organizations (both businesses and nonprofits) not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. The FTC has not forgotten about makers of health apps, connected devices, and similar products. In a statement released on September 15,  2021, the FTC made it clear that developers and/or manufactures of health apps, connected devices, and similar products must comply with the Rule. To help they have provided developers with the following guidance: Mobile Health App Developers: FTC Best Practices.  And let’s not overlook State Attorney General’s have also implemented and enforced similar breach notification provisions to vendors (i.e., BAs) of personal health records and their third-party service providers. CEs and BAs that fail to comply with HIPAA Rules can and have received civil and criminal penalties. You should know the Office of Civil Rights opens a compliance review of all reported breaches that affect 500 or more individuals and many breaches affecting fewer than 500. HIPAA Breach Notification Rule Enforcement Significant breaches ARE investigated by OCR, and penalties may be imposed for failure to comply with the HIPAA Rules. Breaches that affect 500 or more patients are publicly reported on the OCR website, affectionately referred to as the “Wall of Shame.” Once your name has been written on the wall, there it shall remain. Trust me when I tell you, this is not a list you want to see your organization’s name on.

HIPAA Security Incident vs Breach

HIPAA Security Incident vs Breach What’s the Difference?

HIPAA Security Incident vs BreachWhat’s the Difference? Today I am breaking down the difference between a HIPAA security incident vs breach. First, allow me to set the stage with definitions to provide some clarification. What are HIPAA Security Incidents? The HIPAA Security Rule defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of a security incident at 45 CFR 164.304). When a security incident happens, and they do happen, effective response planning can be a major factor in how significantly an organization suffers operational, reputational harm, and/or legal liability. Being able to respond to incidents in a systematic way ensures appropriate response steps are taken each time, helping to minimize the impact of breaches. What would you do? What if this scenario happened in your organization, would your workforce know what to do? ⇒ My office just experienced a cyber-attack! The previous example emphasizes the importance of creating a security incident response plan for your organization. Incident Response Plan Your Incident Response Plan is intended to assist your Covered Entities (CEs) and their third-party vendors, referred to by the Department of Health and Human Services (HHS) as Business Associates (BA), in detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited, protecting the confidentiality, integrity, and availability of data, and restoring IT services back to normal. When establishing your incident response capabilities, CEs and BAs should consider: Developing written incident response policies, plans and procedures Building relationships and setting up plans for communicating with internal and external parties regarding incidents Staffing and training What is a HIPAA Security Breach? The HIPAA Security Rule identifies breaches as an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information (PHI). (See the definition of a breach at 45 CFR 164.402). An impermissible use and/or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates there is a low probability the PHI has been compromised based on a risk assessment. OCR provides an All Case Examples list of HIPAA compliance enforcements organized by CE type or Issue. The list contains several case studies of impermissible uses and/or disclosures. I recommend reviewing the list to see how OCR addresses each one. It is a HIPAA Breach, Now What … The HIPAA Breach Notification Rule requires that after experiencing a breach, CEs and their BAs notify affected individuals, the Secretary, and when required, the media following a breach of unsecured protected health information (PHI) 45 § 164.400-414. Notification By a Third-Party Vendor BAs must notify CEs if a breach occurs at or by the BA. The BA must provide notice to the CE without unreasonable delay, and no later than 60 days from the discovery of the breach. Where possible, the BA should provide the CE with the identification of each individual affected as well as any other available information to the CE. The Office of Civil Rights “Wall of Shame” More and more people are hearing of OCR’s “Wall of Shame.” All it takes to join this infamous list is a breach of unsecured PHI that affects 500 or more individuals. After you’ve reached that magic number (500 or more patient records breached), you must notify the media. If a breach affects fewer than 500 individuals, the CE must notify the Secretary and affected individuals. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred. Did You Know? Breaches are not the ONLY way to make it on the wall. Oh no, all it takes is for someone to file a complaint about your organization involving any of these reasons: Civil Rights Conscience and Religious Freedom Health Information Privacy Once OCR receives a complaint they begin their investigation. When they come calling, they don’t ONLY look at areas related to the complaint. Instead they look at your ENTIRE compliance program. Now I ask you if this happened – Would YOU Be Ready For OCR? See Why it Matters In 2018, there were 76 healthcare data breaches involving Business Associates added to the “Wall of Shame”. 5,730,242 patients’ medical records were breached Hacking/IT Incidents = 35 Unauthorized Access/Disclosure = 34 Loss = 5 Theft = 2 For more details about the HIPAA Breach Notification Rule, visit the HHS website. It doesn’t matter what size you are, hackers know healthcare is rich with unsecured data worth approximately $408.00 per record on the Dark Web. Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility. Providers and third-party vendors need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Healthcare Security Incident

What if your Business Associates Had A Security Incident? Covered Entities (CEs) believe it’s impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. To complicate matters, more believe their Business Associates would NOT notify them in the event of a security incident. It is crucial that BAs notify CEs in the event of inappropriate use or disclosure of Protected Health Information (PHI) not provided for in the contract. This includes any breaches of unsecured PHI, as well as any security incidents. The Business Associate Agreement (BAA) should specify how and for what purpose the PHI will be used by each BA or subcontractor. HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. (See the definition of breach at 45 CFR 164.402). Did You Know? Business Associates (BAs) are at a greater risk by their limited knowledge, understanding, and/or implementation of the HIPAA Security and Breach Notification Rules in their organization. BAs can be, and have been, held directly liable and subject to civil and, in some cases, criminal penalties for making uses and/or disclosures of protected health information (PHI) that were not authorized. A Bad Year for Business Associates During 2018, there were a total of 74 different Business Associate healthcare breaches added to the Office of Civil Right (OCR) ‘Wall of Shame’, potentially compromising the health information of 5,726,824 individuals. Here are the breach types by the numbers: • Unauthorized Access/Disclosure = 34 • Hacking/IT Incident = 33 • Loss = 5 • Theft = 2   That’s 71 new Business Associate breaches added to the ‘Wall of Shame’ and who now could have OCR in their business affairs – this is NOT a position you EVER want for YOUR business. But wait, didn’t I just tell you there were 74 different BA healthcare breaches? Clearly, you were paying attention; that is because 3 different organizations had already made the list in 2018!! Find out who made the list by requesting your copy of the ‘2018 Business Associate Healthcare Data Breach Report’. Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility! Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?     For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.