It might have been a phishing scheme or a stolen laptop with unencrypted data on it. Or, maybe a hurried staff member made the choice not to use encrypted email or secure file-sharing yesterday, and someone’s data got exposed. Whatever it was that opened the door, you’re now dealing with a breach of your data.
What do you do?
Whether intended or not – as when a Lake County Health Department employee sent an unencrypted email this past May with 24,000 patient medical record requests in an attached spreadsheet, or when medical technician Olivia O´Leary commented on her Facebook in 2017 regarding an accident victim who “should’ve worn her seatbelt,” (and later posted, “Yep, I was working today when they came into the ER,” which identified her hospital) – HIPAA violations and data breaches happen. You need to know how to respond.
Basic Steps for Covered Entities
Step 1: Tell Your Privacy Officer
If you know or believe that a HIPAA violation has occurred, the first step is to involve your Privacy Officer. A critical part of their job is to investigate such incidents and determine how to reduce the potential harm to all involved.
Your Privacy Officer will need to gather and record all important details, including the date of discovery and all parties impacted, and if required, send a report to the Office of Civil Rights (OCR). Step 2 will help determine if a report must be sent to OCR.
Step. 2: Perform a Risk Assessment
Your Privacy Officer should initiate a risk assessment, identifying all risks to patients and the organization. This will also help determine the necessary mitigation process.
Note that disclosure of PHI is to be considered a breach (and HIPAA Breach Notification Rule 45 CFR §§ 164.400-414 requires notifications to be issued) unless the Privacy Officer can show that a “low probability” exists that PHI has been compromised.
As the AMA points out, a physician’s involvement (if applicable) may also help determine whether a “low probability of compromise” occurred. This involves applying a 4-factor test:
- Identify the nature/extent of PHI involved. Include types of identifiers and likelihood of re-identification (re-disclosure)
- Identify the unauthorized person (or people) to whom the disclosure was made, or who used the PHI
- Discover if the PHI was actually acquired or viewed
- Determine the extent to which the risk to the PHI has been mitigated
Note: Specifically, there are three exceptions to reporting, according to HHS. These are especially relevant in cases of accidental HIPAA violations – though employees should always communicate each case to their Privacy Officer:
1) An unintentional acquisition and use of PHI by a covered entity or business associate, if such was made in good faith and within the scope of authority.
Example: An email sent to a staff member in error, but later securely destroyed with no further disclosure.
2) An inadvertent disclosure of PHI between authorized persons (whether a covered entity or business associate) to another person authorized to access PHI at the covered entity or business associate, or another organized healthcare arrangement in which the covered entity participates.
Example: The medical information of the wrong patient is disclosed to another individual authorized to receive it.
3) A good faith belief that an unauthorized person to whom the impermissible disclosure was made would not retain the information.
Example: A physician gives a medical record to someone not authorized to view the information and retrieves the information before any PHI has likely been read.
Step 3: If required, send the report to the Department of Health and Human Services’ Office for Civil Rights (OCR)
If it is determined that a breach should be reported to the OCR, it must be submitted without delay (up to 60 calendar days following the date of discovery), lest penalties should be incurred. The report will outline the circumstances of the breach, noting if a mistake was made and how it happened, and including which patient’s records were viewed or disclosed. See the HHS breach notification portal.
Timely reporting is essential, as failures to report in time can snowball into a major incident, potentially requiring disciplinary action from your employer.
Notifying Appropriate Parties
HHS has set the requirement that if a breach of unencrypted PHI involves more than 500 persons, a covered entity must notify a prominent media outlet in the state or jurisdiction in which the breach occurred, as well as HHS.
Further, HHS requires covered entities to provide
“…individual notice in written form by first-class mail, or alternatively, by email if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.” (See the HHS website for more details, including responsibilities of a Business Associate).
If the breach involved fewer than 500 persons, covered entities may maintain a log of all relevant information, and should notify HHS within 60 days after the end of the calendar year. They can make the notification through the HHS website.
Data Protection Essential
Needless to say, the impact of a breach on your organization and your patients can be devastating. Patient’s reputations and livelihoods can be harmed, as well as your own.
The use of appropriate encryption and data loss prevention solutions for PHI are essential to guard against this occurrence. HIPAA Vault’s fully-managed security and secure solutions for hosting, email, file-sharing, and faxing can help you meet this need.
If you have any questions on HIPAA data security or any of the services we provide, please contact us! 760-290-3460.
HIPAA Vault is a low-cost leader of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.