In an interesting turn of events, the Insurance Commissioner of the State of Connecticut is now requiring that they be notified any any of the entities that they regulate, which includes many members of the healthcare ecosystem who also need to comply with HIPAA/HITECH data breach regulations. Their Bulletin IC-25 requires that they be notified within 5 days of the identification of a potential data breach incident.

The involvement of insurance authorities in data security incident definition and notification further complicates the maze of laws and regulations faced by healthcare and other organizations that maintain personal information on patients, policyholders and clients, including protected health information (PHI). For instance, in this case, even encrypted data loss will require notification of the Insurance Commissioner, as will the loss of paper files.

They also indicate that:

“Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”

A recent survey described in an article by Healthcare IT News notes that preventing data breaches is the NUMBER ONE priority for IT decision makers in US hospitals.

While reducing risks of data breaches is important to them, of these same decision makers:

-  38 percent still report they cannot track inappropriate access in accordance with the regulations

- 19%  of respondents said they themselves do no understand the HITECH Act.

The implication is clear, that while preventing data breaches is of greatest importance to them, their ability to address the HITECH compliance obligations and in doing so eliminating data breaches from occurring, is sorely lacking.

“The results of survey demonstrate that hospitals are struggling to balance the need for greater security with the established workflow of physicians and staff. It is imperative that hospitals secure user access without re-engineering established clinician workflows, say survey officials.”

The new privacy rules  recently published by the Department of Health and Human Services in the NPRM (Notice of Proposed Rulemaking), if enacted, will only accentuate the challenges to hospitals. It would require that hospitals, and other HIPAA covered entities, “provide notice to individuals indicating that most disclosures of PHI for which the covered entity receives renumeration would require the authorization of the individual.”

So going forward, hospitals will be required to gain permission from patients to share information about them with any entity that is compensating the hospital for use of the data. In the past, they were permitted to share without permission, and it is likely that their systems and processes lack the appropriate level of granularity today to allow patients this level of control. More work for the hospital IT security team.

In recent weeks, there have been two bills introduced in Washington, D.C. that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. The “Data Security and Breach Notification Act of 2010” was introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010. The bill requires businesses and organizations that handle and store private consumer information, such as social security numbers, to use reasonable security policies and procedures” to protect such information and to “provide nationwide notice in the event of a security breach.”

This act would require organizations to use appropriate security technologies and processes to safeguard the personal information of consumers. It would also require them to periodically assess their risk profile and take corrective actions in addressing security weaknesses. It also would require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”

Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010” a few weeks earlier. This bill focuses on entities such as financial institutions, retailers, federal agencies that handle vast amounts of consumer data. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is a substantial risk to the consumer of identity theft or account fraud, but it does not prescribe that consumers be provided with free access to credit monitoring or other services to prevent or detect identity theft and fraud.

Today, there are data breach notification laws in 46 states that each have somewhat different and inconsistent provisions for notification of consumers. One of the intents of a national bill would be to eliminate these inconsistencies ensuring that all consumers are treated fairly and consistently when affected by a data breach incident. This is likely to be controversial, however in states like California and Massachusetts where they have enacted stricter regulations that either of these two bills for the privacy protection of their consumers.

Additionally, these bills are likely to have some of the same issues that currently exist with the HITECH Act which provides for the security and privacy of protected health information (PHI). While the HITECH Act specifies notification of patients whenever a data breach occurs, the companion rules from the Department of Health and Human Services (specifically the Interim Final Rule) clarify that the provision for data breach notification is only for cases where there is a “substantial risk of financial, reputational or other harm” to the affected consumers.  While this may sound fairly logical, it has been met with resistance and distain from consumer advocates.

The issue with establishing and regulating use of a “harm threshold” for data breach notification is in the details. First, can we assume that the organizations affected will carry out a proper risk assessment and come to a fair and accurate conclusion as to whether there is a risk of harm. Such a determination can cost them millions of dollars in data breach remediation costs alone, not even considering the less measureable costs such as customer churn and reputational damage, which are just as real.  Such costs really could make it difficult for the same individuals that caused the data breach to admit that it could cause harm to the affected people.

Second, it has proven difficult to provide clear and objective guidance that would allow organizations to carry out a risk assessment to make the determination as to whether financial, reputational or other harm exists, when these factors are so subjective, quite open to interpretation and judgment. For example, if you were a patient at a hospital where you were admitted to have your appendix taken out, if the clinical records from this hospital were exposed, you may not consider the fact that everyone now knows that you are appendix-less to adverse to your reputation. On the other hand, if you were admitted for a procedure where it was necessary to do an analysis of your blood, and it was determined that you carry the AIDS virus, you may in this instance consider this as having a very negative impact to your reputation if this information was exposed. This situation illustrates how the same type of exposure (personal medical records) can in some instances be rather benign and in others be quite acute.

If legislation requires notification based on an interpretation as to a risk of harm to the affected population, the government regulators should consider whether organizations should be put in the conflicted position of self-assessing such situations. They also should consider how to provide more specific and concrete means to measure the risk of harm to consumers.

I’m sure we haven’t seen the end of new bills in Congress focused on providing for a national approach personal data privacy and security, and the associated requirements for notification in cases of a data breach. But it would be helpful to see additional thought going into this topic of how to assess whether a “data security incident” is in fact a “data security breach” for purposes of notification.

By Stephanie Cason

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted on February 17, 2009, was designed to promote the widespread adoption and standardization of health information technology.  It supports this goal by adding amendments designed to strengthen the privacy and security protections of health information established by HIPAA and contained provisions that substantially expanded the HIPAA Privacy, Security, and Enforcement Rules.  The U.S. Department of Health and Human Services (“HHS”) published proposed regulations (the “Proposed Rule”) that will implement modifications to the HIPAA Privacy, Security, and Enforcement Rules under the HITECH Act.  The Proposed Rule was issued on July 8, 2010, and published in the Federal Register on July 14, 2010 with a 60-day comment period.

The HITECH Act and the Proposed Rule create a variety of new obligations for covered entities (“CEs”) and business associates (“BAs”) with some of the most significant changes being the expanded duties as well as penalties to which on BAs are now subject.  The HITECH Act required that HIPAA’s Security and Privacy Rules, as well as other aspects of HIPAA, be extended to BAs in much the same way as they apply to CEs; and a variety of changes in the Proposed Rule make it clear that the standards, requirements, and implementation specifications of HIPAA are applicable to BAs.  Prior to the HITECH Act, HIPAA applied to BAs only indirectly by way of the BA’s contractual obligations to the CE.  Additionally, the penalties for violations of the BA’s obligations were limited to damages that resulted from any contractual breach (unless the BA also happened to be a CE).  The HITECH Act and the Proposed Rule expand both the application of certain HIPAA requirements and penalties to BAs.

Additionally, the Proposed Rule expands the definition of “business associate,” to include, most significantly, subcontractors of BAs or “downstream business associates” who create, receive, or transmit protected health information (“PHI”).  Subcontractors who meet this criterion are now themselves considered BAs, and are therefore required to enter into business associate agreements and are subject to direct liability under the HIPAA rules.   The Proposed Rule additionally clarifies that CEs are required to enter into business associate agreements with their BA, but not directly with subcontractors.  Instead, it is now the responsibility of the BA who engages the subcontractor to enter into a BA agreement with that subcontractor.  The subcontractor business associate agreement must comply with the same requirements as agreements between CEs and BAs.

The HITECH Act has also put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations and mandatory penalties. HHS issued the Interim Final Rule (“IFR”), revising HIPAA to incorporate provisions required by the HITECH Act that immediately took effect and the Proposed Rule makes a variety of changes to facilitate this new penalty scheme.  The new penalty scheme establishes four categories of violations that reflect increasing levels of culpability and the corresponding tiers of civil money penalty amounts.  The Proposed Rule clarifies that HHS will investigate complaints when a review of the facts indicates a potential violation is due to willful neglect.  If a violation is found to have occurred due to willful neglect, a penalty will be imposed.

If a HIPAA violation occurs, procedures must be in place to adequately respond.  Legal counsel should also be used to ensure appropriate compliance with any requirements of HIPAA.  The best way to prevent liability under the new requirements is a showing of past compliance.  In order to do this, entities should take steps before a violation occurs to prevent violations and ensure that compliance is adequately documented.

In sum, the new HIPAA obligations imposed under the HITECH Act and the Proposed Rule seek to strengthen the privacy and security of PHI and the and effectiveness of HIPAA, and in doing so they expand obligations and liabilities to a wider range of entities.  The Proposed Rule provides CEs and BAs with 180 days after the effective date of issuance of the final regulations to come into compliance with most of the new requirements. However, the final regulations will not likely differ significantly from the Proposed Rule and entities should familiarize themselves with the new rules and begin to prepare now for changes.

About the Author

Stephanie A. Cason is an associate at Powers Pyle Sutter and Verville.  Her practice focuses on healthcare and education law and public policy.  She received her Juris Doctor, cum laude, from the University of Michigan Law School.  During law school, she served as selection committee member, publication committee member and administrative manager for the Michigan Journal of Gender and Law.  She was also the technology manager of the Organization of Public Interest Students.  Ms. Cason also holds an undergraduate degree in Political Science from Reed College where her senior thesis analyzed the USA Patriot Act.
Ms. Cason’s prior experience includes serving as a law clerk in the Federal Public Defender Office, a law clerk for Judge Katherine Tennyson in Portland, Oregon, and internships with the American Civil Liberties Union and the Oregon Law Center.

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI.  In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk.[1] HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

However, HIPAA’s enhanced penalties substantially increase the potential exposure to a covered entity that decides not to provide notification without first conducting and documenting a credible assessment of the risk to individuals arising from the security incident.  Under the new penalty scheme, HHS must impose a penalty upon finding that a covered entity’s HIPAA violation resulted from “willful neglect.”  “Willful neglect” means “conscious, intentional failure or reckless indifference to the obligation to comply with the regulation that is the target of the complaint.”  HHS likely would find that failing to notify individuals of a security breach without conducting a risk assessment or  basing a decision  on a superficial risk assessment constitutes “willful neglect.”

A finding by HHS of “willful neglect” would trigger exposure to substantial penalties. In that case, the penalty would ranger from a minimum of $10,000 per violation to a maximum of $50,000 per violation if the violation (i.e., the failure to notify affected individuals of the security breach) is corrected within 30 days of notice from HHS, and a minimum of $50,000 per violation and a maximum of $1.5 million per violation if the violation is left uncorrected. Moreover, HIPAA’s amended enforcement provisions, and recently proposed regulations construing those amendments, provide HHS with substantial discretion in determining what constitutes a violation. If HHS were to determine, in the context of a security breach, that each person who did not timely receive a notice is one violation, or that one violation is each day that notice to affected individuals was improperly delayed, the potential penalties could run into the millions of dollars. While to date, HHS has not imposed a single civil monetary penalty, the agency’s statutory authority to impose multi-million dollar penalties provides it with substantial leverage in negotiating settlements with alleged violators of HIPAA. HHS recently demonstrated its new-found muscle when it announced, on July 27, 2010, a $1 million settlement with a covered entity that allegedly did not properly dispose of PHI.

By contrast, a covered entity that conducts a credible risk assessment in good faith likely would have no exposure for any penalties. The recently proposed revisions to HIPAA’s Enforcement Rule bar HHS from imposing a penalty if the covered entity demonstrates that the violation did not result from willful neglect and was promptly corrected after the covered entity knew, or should have known, of the violation. This means that if a covered entity based a decision not to provide notice on a credible risk assessment, it likely would have no exposure for a civil monetary penalty, even if HHS were to disagree with the entity’s decision. Thus, HHS would have no leverage to extract a monetary settlement — as long as the covered entity provided notice to affected individuals promptly after being informed of HHS’ disagreement with the results of the covered entity’s risk assessment.

Because security incidents typically are investigated and evaluated under substantial time pressure, covered entities should consider obtaining, and familiarizing themselves with, a risk assessment tool before they are confronted with a security incident. One example of such a risk assessment tool is a software application called RADAR (Risk Assessment, Documentation and Reporting) recently released by ID Experts, a firm specializing in comprehensive data breach solutions for healthcare.  Click to get more information about RADAR.

This entry was written by Philip L. Gordon.

Philip Gordon is a shareholder in the Denver office of Littler Mendelson, P.C., and chairs the firm’s Privacy and Data Protection Practice Group.  He regularly counsels employers and health care providers on HIPAA compliance and security incident response.  He is the principal author of Littler’s Workplace Privacy Counsel blog and Healthcare Employment counsel blog, both of which can be accessed through www.littler.com.  Mr. Gordon He can reached at pgordon@littler.com or 303-362-2858.

---

[1] The four factors identified by HHS are the following:  (a) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed, (b) the steps taken to mitigate potential harm resulting from the unauthorized conduct, (c) whether the PHI has been returned before being used for an improper purpose, (d) the types and amounts of PHI involved in the incident.

ID Experts today announced RADAR (HITECH Risk Assessment, Documentation and Reporting), the industry’s first expert software tool to measure a data breach incident’s risk index (IRI) by combining the severity of the episode and the sensitivity of the exposed data to quantify the incident’s overall harm threshold.  Designed for healthcare providers, HIPAA covered entities, and their business associates, RADAR was developed to efficiently and consistently meet all of the requirements for complying with the HITECH Act data breach notification provisions for security and privacy breach incident harm threshold assessment, documentation and reporting.

Security breaches are now remarkably commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010.  In fact, healthcare is the second most breached industry, according to the Identity Theft Resource Center.  And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive.  Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats and medical identity theft.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a leading researcher and voice in addressing data breach risks and issues, noted about RADAR that:

“Organizations may need guidance, especially when dealing with PHI breaches, so they cover their bases to protect individuals and follow all of the rules and laws. ID Experts’s RADAR new tool offers consistency and efficiency for evaluating and reporting a security breach, and provides the analysis and documentation required of a mandated risk assessment.”

Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.  The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.

RADAR is current in beta test with several leading US healthcare providers and will be generally available in August, 2010. RADAR is available as software-as-a-service on a subscription basis with pricing starting at $1,500 per user per year.

Healthcare organizations that fall under the definition of HIPAA covered entities should be very aware of their obligations under the data breach provisions of the HITECH Act. The reason being that there are now very substantial penalties for disregarding the security and privacy regulations, for lax detection of data breach incidents and for failing to notify affected individuals of an incident within a specified period of time.

One of the keys to meeting the notification requirement is completing and documenting a data breach incident “risk assessment” for each and every incident that is detected. The “rules” for carrying out this mandated assessment are specified by the department of Health and Human Services (HHS) in their rulemaking. This webinar will assist information security, compliance and privacy officers and professionals at hospitals, health insurers, and other covered entities in understanding what they need to do and how to go about doing it, when faced with a potential data breach incident.

A description of the webinar follows.

The HITECH Act requires HIPAA-covered entities to carry out a careful risk assessment, including an evaluation of potential harm, for every potential data breach incident. This risk assessment will assist organizations in deciding whether they are obligated to then notify affected individuals, the Department of Health and Human Services (HHS) and the media about data breach incidents.

Kirk Nahra, CIPP, a partner at the premier healthcare law firm Wiley Rein LLP, and Rick Kam, president and founder of ID Experts, will review and discuss the HHS rules for completing these mandated data breach incident risk assessments in order to ensure compliance and utilize evolving best practices.

Learn about considerations for HIPAA-covered entities in carrying out mandated HITECH data security breach incident risk assessments. To enroll to attend the webinar, click here.

A recent article in American Medical News notes that the greatest risks to healthcare providers in the area of maintaining patient privacy isn’t offshore hackers or rogue employees, but rather simple accidents.

Over six months in 2009, 12,500 mobile devices were left in taxis. And 4,500 USB “thumb” drives were left in pants pockets that were then set to the cleaners. And the vast majority of these devices did not use data encryption.

What makes this so damaging to the organizations that employ these individuals, is that one-third of healthcare professionals maintain patient data on their mobile devices – smartphones, laptops and removable media such as memory sticks.

Now that the data breach provisions of the HITECH Act our open to enforcement, such incidents may cost the healthcare provider up to $1.5 million. Quite a sum for a simple momentary lapse or accident.

This article, and the related study, highlights the importance for healthcare providers to evaluate the risk factors for non-malicious identity data loss. These types of risks are often overlooked, or at least prioritized at a lower level, by security professionals because of the tendency to focus on technology solutions for data security. Or in lieu of technology, to rely on policies.

While I suspect most healthcare providers have policies to inhibit professionals to storing patient data on their laptops, moving it from one location to another with a thumb drive, or viewing it on a smartphone, as a practical matter, these do not appear to stand in the way of progress. And progress of this sort creates risks that organizations must acknowledge as a first step towards understanding how to manage them.

In a recent post, I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR.

Based on some encouragement, I was given the name of the responsible person at OCR and emailed to ask about this seeming discrepancy. She was nice enough to provide the following reply from Hannah Stahle, JD, Health Information Privacy Specialist:

“In response to your question regarding the posting of breaches on the OCR website, we have been receiving reports from covered entities of breaches affecting 500 or more individuals since the effective date of the regulation.  We are now in the process of working to establish our web page for posting information regarding such breaches.  Because the breach notification regulation imposed a new reporting requirement on covered entities, which has been in effect for less than three months, we are taking extra care to ensure that all breach notifications we receive are accurate before we post any information on our website.”

It is wonderful to know that covered entities are in fact reporting breach incidents as required, and that HHS is working to ensure that their reporting site is accurate given the sensitive nature of the incidents being reported.

I had also asked about whether there were likely to be changes to the “harm threshold” guidance between now and the issuance of the Final Rule. She again commented that:

“With respect to your question concerning the harm threshold, we are in the process of analyzing the comments we received in response to the interim final regulation and will be developing a final breach regulation in the near future.  The harm threshold generated many comments on both sides of the issue, and we will consider all comments as we begin to develop the policy for the final rule.”

I do believe that there are two issues at play here. One, that it is difficult to expect that a covered entity can make a completely impartial determination as to the level of harm that is represented by a data breach incident, if in fact they have a lot to lose by acknowledging that such an incident did in fact create a threat of harm to those affected individuals. The second, though, is that it would be desirable for the Rules  to be as unambiguous as possible, so that oragnizations do not need to be involved in making “judgment calls” on level of harm caused by incidents.

Since the HITECH Act data breach notification provisions became effective this past September 23, 2009, I’d recently become curious about the number and nature of data breaches that would start to appear on the website at the Department of Health and Human Services (HHS).

The HHS Rules require healthcare organizations (specifically HIPAA covered entities) to report to HHS any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered.  I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date. And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.

So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link: