All organizations regulated by HIPAA must now document and report security incidents. The path from investigation to notification begins with discovery and initial investigation of the security incident, followed by a determination as to whether there was a security breach and a subsequent privacy breach, followed by breach notification. Most simply: first the security investigation, next the privacy investigation and lastly breach notification. In a perfect world…
There are many ways that a security or privacy incident can be discovered. In some cases, a breach of privacy does not involve an electronic record and the incident may not require a security review, for example using an incorrect fax number while sending PHI. In other cases, a specialized security review will need to be completed prior to understanding whether a privacy breach has occurred. Other cases may clearly represent a privacy breach but require additional investigation to determine the affected individuals. The realistic nature of a HIPAA security and privacy investigation is that the two must occur together in a concerted effort, with clear hand-offs and mutual understanding from incident response personnel.
As of September 23, 2013 security and privacy investigation and eventual breach notification are now more broadly applied, more strictly enforced and carry direct civil and criminal liability no matter the organization’s designation as a covered entity, business associate or subcontractor. All security incidents, suspected or known, are to be investigated, documented and reported by all organizations regulated by HIPAA.
The flow of reporting and notification generally goes upstream with subcontractors notifying business associates, business associates notifying covered entities, and covered entities notifying the Office of Civil Rights (OCR) as the enforcement arm of the Department of Health and Human Services (HHS). The caveat is notification to individuals who have been affected, a responsibility that is generally held by a covered entity but may be passed downstream to business associates and subcontractors through business associate agreements or other arrangements.
For newly liable business associates and subcontractors, the security/privacy investigation and breach notification tango is likely brand new; the steps for these organizations are likely undefined and very likely unpracticed. Even for covered entities, who have done the dance for nearly a decade, the Omnibus final rule changes the breach notification requirements significantly. Before Omnibus, if a breach did not cross a “harm” threshold, the incident could go unreported. Now, the harm threshold has been removed. Following every discovered breach, the security incident report must be sent upstream, including incidents reported to covered entities from business associates and their subcontractors.
With upstream notification, the Omnibus regulatory changes have created a system of self-reporting of violation and breach of unsecured protected health information. Organizations all the way down the business chain that create, receive, maintain or transmit protected health information will send their security and privacy incidents to the HHS, so the HHS mustn’t go looking for breaches but must wait for all organizations to self-report. For organizations that will not follow these rules, the OCR and HHS have stacked the deck with a sky-is-the-limit penalty for willful neglect, including individual prison time and monetary penalties.
All this means it is time for every organization regulated by HIPAA to take a look at their incident procedures no matter whether the organization is a provider that has always been a covered entity, a healthcare software maker that has always been a business associate, or a third-party colocation data center that is a newly covered subcontractors. For starters, assign responsibility. The HIPAA Privacy and Security Rules both contain a clear requirement to assign an individual to hold responsibility for developing policies and procedures to comply with each subpart. These individuals are most commonly referred to as the Privacy Officer and Security Officer, respectively, but can have any title so long as his or her documented job description includes the defined responsibilities from the HIPAA rule. The HIPAA Privacy Rule also requires an organization designate a public contact to whom complaints and requests for additional information from the public are to be sent. These assignments must be documented and communicated effectively to the rest of the organization. While business associates may not be required to assign a Privacy Officer by regulation, the requirements for incident reporting and breach notification are wide-ranging. Understanding and managing these requirements will likely require a very similar role be assigned.
Once roles have been assigned and communicated, the real work begins for the incident response team. The Privacy Officer and Security Officer will make the core of the security and privacy investigation team (for some organizations this may be the same individual). They will need to work together to ensure that incidents are being proactively prevented, and along each step of the process from discovery to correction. Begin by developing a policy that details the goals of incident response, ensure the policy includes the specific intent of the program, stating that:All known and suspected incidents will be reported and reviewed by the Security and/or Privacy Officer to determine if a security policy has been violated and to determine if any individuals’ protected health information has been inappropriately accessed, modified or destroyed. The outcome of the investigation will be formally documented, regardless of whether a suspected incident is determined not to have resulted in a security or privacy incident.
Anyone responsible for a breach will be appropriately sanctioned and the sanction activity will be documented. Appropriate breach notifications will be made following a breach of unsecured protected health information.Next develop the standard procedures that will be used to achieve the stated incident response policy goals. The procedures should outline the “how-to” to complete the investigation and reporting, including what steps to follow to determine which individual’s PHI was affected. This detailed information must be included in breach notification. It is important to include procedures during investigation to determine if the breached information was “unsecured” which generally means “unencrypted” PHI, a noteworthy exception referred to as “safe harbor” for breach notification. If the information was appropriately “secured” the incident must be investigated and documented, but does not need to be reported because it can be reasonably assumed the “secured” information was not actually accessible despite being lost or stolen. Finally, breach notification procedures to be used following an investigation are well defined in the HIPAA regulatory writing. Once it has been determined that a security incident has led to a breach of the confidentiality, integrity or availability of information protected under the privacy rule, a new round of investigation begins to answer key questions: Who was affected and how? What notifications must be sent upstream? Can the individuals be contacted by phone or through a letter? Does a breach notice need to be posted on the entity’s public website? All these answers will need to be documented and sent as part of the upstream breach notification.
The kicker: breach notification must be made without reasonable delay and no later than 60 calendar days after discovery of a breach… which should sound as daunting as ever.