In an interesting turn of events, the Insurance Commissioner of the State of Connecticut is now requiring that they be notified any any of the entities that they regulate, which includes many members of the healthcare ecosystem who also need to comply with HIPAA/HITECH data breach regulations. Their Bulletin IC-25 requires that they be notified within 5 days of the identification of a potential data breach incident.

The involvement of insurance authorities in data security incident definition and notification further complicates the maze of laws and regulations faced by healthcare and other organizations that maintain personal information on patients, policyholders and clients, including protected health information (PHI). For instance, in this case, even encrypted data loss will require notification of the Insurance Commissioner, as will the loss of paper files.

They also indicate that:

“Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”

A recent survey described in an article by Healthcare IT News notes that preventing data breaches is the NUMBER ONE priority for IT decision makers in US hospitals.

While reducing risks of data breaches is important to them, of these same decision makers:

-  38 percent still report they cannot track inappropriate access in accordance with the regulations

- 19%  of respondents said they themselves do no understand the HITECH Act.

The implication is clear, that while preventing data breaches is of greatest importance to them, their ability to address the HITECH compliance obligations and in doing so eliminating data breaches from occurring, is sorely lacking.

“The results of survey demonstrate that hospitals are struggling to balance the need for greater security with the established workflow of physicians and staff. It is imperative that hospitals secure user access without re-engineering established clinician workflows, say survey officials.”

The new privacy rules  recently published by the Department of Health and Human Services in the NPRM (Notice of Proposed Rulemaking), if enacted, will only accentuate the challenges to hospitals. It would require that hospitals, and other HIPAA covered entities, “provide notice to individuals indicating that most disclosures of PHI for which the covered entity receives renumeration would require the authorization of the individual.”

So going forward, hospitals will be required to gain permission from patients to share information about them with any entity that is compensating the hospital for use of the data. In the past, they were permitted to share without permission, and it is likely that their systems and processes lack the appropriate level of granularity today to allow patients this level of control. More work for the hospital IT security team.

Physician’s offices and small clinics are recent targets of patient data theft creating legal obligation to notify patents of the crime under the new federal HITECH Act as well as providing concurrent notice to HHS Office of Civil Rights (OCR). A recent article in HeathLeaders Media highlighted this growing problem.

According to OCR, 11 private practices, affecting a total of 54,000+ patient records have been reported to them since this legislation to protect patient privacy went into effect in September 2009.

The risk to affected patients is medical identity theft by criminals wanting to use their information to obtain illegal prescriptions and medical services. The risk to private practices is compliance with regulations, state and federal fines for privacy violations, class action litigation, and losing patients who decide to take their business elsewhere.
Unfortunately, a breach of patient data is common. A misdirected fax, stolen laptop, or missing PDA containing patient data is all it takes.

When you suspect you have a breach of patient data, get help. A recent survey by Ponemon Institute, a research organization that studies data breach incidents found that 44% of the organizations they surveyed engaged experts. Ponemon also found those that engaged experts experience 26% lower cost and more positive outcomes including compliance with regulations, minimizing the risk of fines and class action litigation, and protecting patients from medical identity theft.

ID Experts has helped private practices and clinics, large and small effectively mitigate the risks of a data breach. If you think you have an issue, call ID Experts hot line at 866-726-4271 to discuss the case.

The recent ruling by U.S. District Judge Legrome D. Davis in the case of Allison v. Aetna is another proof point that the threat of identity theft caused by a data breach is not sufficient grounds for litigation.  No damages equates to no victims, which mitigates one of the major risks of a breach.

Best practice suggests performing an incident risk assessment to determine the potential risk of harm to individuals when a breach of PII or PHI occurs. We suggest looking at the sensitivity of the data disclosed and the specific context of the breach which will provide an incident risk level. Using these two dimensions of risk provides a consistent basis for determining the potential risk of harm.

An example of this approach is a recent breach of medical records from a large hospital. The breached records included name, address, medical ID number, and diagnosis. No social security numbers were disclosed. By definition this is protected health information.

Would the disclosure of this information create a potential risk of harm for the individuals affected, triggering breach notification under the HITECH Act?

The sensitivity of this data may be low if these were adults, but upon further investigation we found that this information belonged to children, many of which were wards of the state. The information had psychiatric data. All of these facts leads to an assessment that the sensitivity of the disclosed information creates high risk.

To evaluate the incident breach risk, we looked at how the breach happened. In this case, an employee had received a new laptop. The policy for this hospital was to encrypt all laptops. However, upon investigation, IT discovered that the employee had removed the laptop from the network before the encryption process had completed, leaving the records unencrypted. The employee had left the laptop in the trunk of their car in their garage. Unfortunately, the employee’s garage and car was broken into. The employee discovered the theft when they returned from vacation and reported it to the hospital. The context of this incident warranted a high level assessment of risk when you evaluate both the sensitivity of the data and the context of the breach.

This hospital made the decision to notify the affected patients because of the potential risk of harm. Will these patients fall victim to identity theft creating a potential legal risk? It is hard to tell, but 5 years or 10 years from the date of the breach, some number of these affected patients will be victims of identity theft. Best practice is to have notified individuals and provided them with information and tools to protect themselves.

By Stephanie Cason

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted on February 17, 2009, was designed to promote the widespread adoption and standardization of health information technology.  It supports this goal by adding amendments designed to strengthen the privacy and security protections of health information established by HIPAA and contained provisions that substantially expanded the HIPAA Privacy, Security, and Enforcement Rules.  The U.S. Department of Health and Human Services (“HHS”) published proposed regulations (the “Proposed Rule”) that will implement modifications to the HIPAA Privacy, Security, and Enforcement Rules under the HITECH Act.  The Proposed Rule was issued on July 8, 2010, and published in the Federal Register on July 14, 2010 with a 60-day comment period.

The HITECH Act and the Proposed Rule create a variety of new obligations for covered entities (“CEs”) and business associates (“BAs”) with some of the most significant changes being the expanded duties as well as penalties to which on BAs are now subject.  The HITECH Act required that HIPAA’s Security and Privacy Rules, as well as other aspects of HIPAA, be extended to BAs in much the same way as they apply to CEs; and a variety of changes in the Proposed Rule make it clear that the standards, requirements, and implementation specifications of HIPAA are applicable to BAs.  Prior to the HITECH Act, HIPAA applied to BAs only indirectly by way of the BA’s contractual obligations to the CE.  Additionally, the penalties for violations of the BA’s obligations were limited to damages that resulted from any contractual breach (unless the BA also happened to be a CE).  The HITECH Act and the Proposed Rule expand both the application of certain HIPAA requirements and penalties to BAs.

Additionally, the Proposed Rule expands the definition of “business associate,” to include, most significantly, subcontractors of BAs or “downstream business associates” who create, receive, or transmit protected health information (“PHI”).  Subcontractors who meet this criterion are now themselves considered BAs, and are therefore required to enter into business associate agreements and are subject to direct liability under the HIPAA rules.   The Proposed Rule additionally clarifies that CEs are required to enter into business associate agreements with their BA, but not directly with subcontractors.  Instead, it is now the responsibility of the BA who engages the subcontractor to enter into a BA agreement with that subcontractor.  The subcontractor business associate agreement must comply with the same requirements as agreements between CEs and BAs.

The HITECH Act has also put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations and mandatory penalties. HHS issued the Interim Final Rule (“IFR”), revising HIPAA to incorporate provisions required by the HITECH Act that immediately took effect and the Proposed Rule makes a variety of changes to facilitate this new penalty scheme.  The new penalty scheme establishes four categories of violations that reflect increasing levels of culpability and the corresponding tiers of civil money penalty amounts.  The Proposed Rule clarifies that HHS will investigate complaints when a review of the facts indicates a potential violation is due to willful neglect.  If a violation is found to have occurred due to willful neglect, a penalty will be imposed.

If a HIPAA violation occurs, procedures must be in place to adequately respond.  Legal counsel should also be used to ensure appropriate compliance with any requirements of HIPAA.  The best way to prevent liability under the new requirements is a showing of past compliance.  In order to do this, entities should take steps before a violation occurs to prevent violations and ensure that compliance is adequately documented.

In sum, the new HIPAA obligations imposed under the HITECH Act and the Proposed Rule seek to strengthen the privacy and security of PHI and the and effectiveness of HIPAA, and in doing so they expand obligations and liabilities to a wider range of entities.  The Proposed Rule provides CEs and BAs with 180 days after the effective date of issuance of the final regulations to come into compliance with most of the new requirements. However, the final regulations will not likely differ significantly from the Proposed Rule and entities should familiarize themselves with the new rules and begin to prepare now for changes.

About the Author

Stephanie A. Cason is an associate at Powers Pyle Sutter and Verville.  Her practice focuses on healthcare and education law and public policy.  She received her Juris Doctor, cum laude, from the University of Michigan Law School.  During law school, she served as selection committee member, publication committee member and administrative manager for the Michigan Journal of Gender and Law.  She was also the technology manager of the Organization of Public Interest Students.  Ms. Cason also holds an undergraduate degree in Political Science from Reed College where her senior thesis analyzed the USA Patriot Act.
Ms. Cason’s prior experience includes serving as a law clerk in the Federal Public Defender Office, a law clerk for Judge Katherine Tennyson in Portland, Oregon, and internships with the American Civil Liberties Union and the Oregon Law Center.

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI.  In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk.[1] HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

However, HIPAA’s enhanced penalties substantially increase the potential exposure to a covered entity that decides not to provide notification without first conducting and documenting a credible assessment of the risk to individuals arising from the security incident.  Under the new penalty scheme, HHS must impose a penalty upon finding that a covered entity’s HIPAA violation resulted from “willful neglect.”  “Willful neglect” means “conscious, intentional failure or reckless indifference to the obligation to comply with the regulation that is the target of the complaint.”  HHS likely would find that failing to notify individuals of a security breach without conducting a risk assessment or  basing a decision  on a superficial risk assessment constitutes “willful neglect.”

A finding by HHS of “willful neglect” would trigger exposure to substantial penalties. In that case, the penalty would ranger from a minimum of $10,000 per violation to a maximum of $50,000 per violation if the violation (i.e., the failure to notify affected individuals of the security breach) is corrected within 30 days of notice from HHS, and a minimum of $50,000 per violation and a maximum of $1.5 million per violation if the violation is left uncorrected. Moreover, HIPAA’s amended enforcement provisions, and recently proposed regulations construing those amendments, provide HHS with substantial discretion in determining what constitutes a violation. If HHS were to determine, in the context of a security breach, that each person who did not timely receive a notice is one violation, or that one violation is each day that notice to affected individuals was improperly delayed, the potential penalties could run into the millions of dollars. While to date, HHS has not imposed a single civil monetary penalty, the agency’s statutory authority to impose multi-million dollar penalties provides it with substantial leverage in negotiating settlements with alleged violators of HIPAA. HHS recently demonstrated its new-found muscle when it announced, on July 27, 2010, a $1 million settlement with a covered entity that allegedly did not properly dispose of PHI.

By contrast, a covered entity that conducts a credible risk assessment in good faith likely would have no exposure for any penalties. The recently proposed revisions to HIPAA’s Enforcement Rule bar HHS from imposing a penalty if the covered entity demonstrates that the violation did not result from willful neglect and was promptly corrected after the covered entity knew, or should have known, of the violation. This means that if a covered entity based a decision not to provide notice on a credible risk assessment, it likely would have no exposure for a civil monetary penalty, even if HHS were to disagree with the entity’s decision. Thus, HHS would have no leverage to extract a monetary settlement — as long as the covered entity provided notice to affected individuals promptly after being informed of HHS’ disagreement with the results of the covered entity’s risk assessment.

Because security incidents typically are investigated and evaluated under substantial time pressure, covered entities should consider obtaining, and familiarizing themselves with, a risk assessment tool before they are confronted with a security incident. One example of such a risk assessment tool is a software application called RADAR (Risk Assessment, Documentation and Reporting) recently released by ID Experts, a firm specializing in comprehensive data breach solutions for healthcare.  Click to get more information about RADAR.

This entry was written by Philip L. Gordon.

Philip Gordon is a shareholder in the Denver office of Littler Mendelson, P.C., and chairs the firm’s Privacy and Data Protection Practice Group.  He regularly counsels employers and health care providers on HIPAA compliance and security incident response.  He is the principal author of Littler’s Workplace Privacy Counsel blog and Healthcare Employment counsel blog, both of which can be accessed through www.littler.com.  Mr. Gordon He can reached at pgordon@littler.com or 303-362-2858.

---

[1] The four factors identified by HHS are the following:  (a) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed, (b) the steps taken to mitigate potential harm resulting from the unauthorized conduct, (c) whether the PHI has been returned before being used for an improper purpose, (d) the types and amounts of PHI involved in the incident.

ID Experts today announced RADAR (HITECH Risk Assessment, Documentation and Reporting), the industry’s first expert software tool to measure a data breach incident’s risk index (IRI) by combining the severity of the episode and the sensitivity of the exposed data to quantify the incident’s overall harm threshold.  Designed for healthcare providers, HIPAA covered entities, and their business associates, RADAR was developed to efficiently and consistently meet all of the requirements for complying with the HITECH Act data breach notification provisions for security and privacy breach incident harm threshold assessment, documentation and reporting.

Security breaches are now remarkably commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010.  In fact, healthcare is the second most breached industry, according to the Identity Theft Resource Center.  And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive.  Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats and medical identity theft.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a leading researcher and voice in addressing data breach risks and issues, noted about RADAR that:

“Organizations may need guidance, especially when dealing with PHI breaches, so they cover their bases to protect individuals and follow all of the rules and laws. ID Experts’s RADAR new tool offers consistency and efficiency for evaluating and reporting a security breach, and provides the analysis and documentation required of a mandated risk assessment.”

Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.  The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.

RADAR is current in beta test with several leading US healthcare providers and will be generally available in August, 2010. RADAR is available as software-as-a-service on a subscription basis with pricing starting at $1,500 per user per year.

This article is reprinted from Healthcare IT News with the author’s permission.

The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents.

If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should:

1. The requirement for a mandatory incident-specific risk assessment for every incident
2. The fact that HITECH notification provisions do not pre-empt state notification laws
3. Encryption of data does not necessarily alleviate the risk of data breach
4. If your business associate exposes your protected health information (PHI), you are responsible

1. Mandatory incident-specific risk assessment. When HHS issued its Interim Final Rule giving healthcare organizations guidance for complying with the HITECH Act data breach provisions, it added a new requirement.  The requirement is that the organization carry out an incident-specific risk assessment to determine the potential risk of harm to the individuals affected by each and every data breach incident.  The rules establish a “harm threshold” for notification, but unfortunately, don’t make the determination of risk and the potential of harm. It is essential to become well versed in these rules and be prepared to carry out a HITECH compliant data breach incident risk assessment.

2. HITECH doesn’t pre-empt state notification laws. While HITECH is the first national law for notification in the case of privacy information breaches, most U.S. states also have breach notification laws.  And while the intent of these laws is similar — to make individuals aware that their PHI may have been improperly disclosed — the specific details in all of these laws can actually vary a great deal.  But because HITECH is not “preemptive,” a healthcare organization that has experienced a data breach must ensure that it complies with both HITECH regulations as well as the regulations in every state where individuals are affected.  This can be daunting especially because HITECH and state laws in some cases are conflicting.

3.  Encryption not a silver bullet. There is a lot of advocacy for encryption of PHI as a means to avoid data breach incidents.  The general argument is that if data is encrypted, that data breaches will not occur.  Unfortunately, this is overly simplistic. While encryption will assist healthcare organizations in avoiding certain types of data breach incidents, it is not a panacea.  For instance, a common threat approach is for a criminal or organized crime entity to enlist an “insider” to assist in extracting PHI.  An insider with valid access credentials will not find encryption to be an obstacle in any way.  As a result, consider encryption one of many tools for information protection, not a silver bullet.

4.  You are responsible for your business associate. For the first time, HIPAA business associates are required to meet the HIPAA Privacy and Security Rule requirements based on HITECH.  While this is a good thing, a covered entity should not consider this a “free pass” if one of your business associates exposed PHI that was provided by your organization.  While you may be able to hold them financial accountable, if you’ve specified for such eventualities in your business associate agreements, the obligation for notification is still with the covered entity.  It is your responsibility to maintain the privacy for the PHI, no matter to whom you entrust it. And of course, the affected patients will hold you responsible as well.

As you put processes and procedures in place to meet HITECH obligations, consider also putting in place a comprehensive and current data breach incident response plan.  This will prevent a lot of headaches and last-minute scrambling, should you be faced with a data breach.

A recently published article in Healthcare IT News  highlights aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act that may have escaped your attention.

Titled “Three things you may not know about the HITECH Act…but should“, the article hones in on aspects of the rulemaking from the US Department of Health and Human Services that healthcare organizations must follow in determining whether a privacy breach incident meets the requirements to notification.

HITECH is known primarily for the manner in which it motivates healthcare providers to implement electronic health records (EHR) systems. But as more and more of our medical information is going online, the Act also wisely enhanced the privacy and security provisions that are required of healthcare providers and added penalties and enforcement mechanisms for the breach of private healthcare information.

One of the three things you may not know, per this article, is that when your organization experiences a potential privacy incident, that you are required to carry out a “risk assessment” in order to determine the nature of the protected health information (PHI) that was disclosed, and whether it poses a risk of harm to the affected patients.Based on the results of this risk assessment, your organization may or may not be obligated to notify the affected individuals, along with HHS and the media. So this assessment process is very important.

Unfortunately, the risk assessment process is not at as well defined or straightforward as might be hoped. And this gets to one of the 2nd items that you may not know about in HITECH. In carrying out a risk assessment, the goal is to determine whether there is a risk of financial, reputational or other harm to the patients affected. And in this process, not all PHI is created equally, and in fact, you must consider the nature of the information disclosed in a manner that is situationally aware.

For instance, disclosure of a persons name and their medical procedure may not be cause for any risk of harm if the procedure was having a bunion removed. However, if the procedure was for the diagnosis of AIDS, disclosure of this information could result in substantial harm. As a result, it is not just the data types that need to be considered, but the nature of the data and the environment of their release. Not at all straightforward.

And then the 3rd thing that you may not know about HITECH from this article is that its data breach notification provisions don’t “preempt” those of each of the states. In fact, if your organization experiences a data breach, you need to assess the requirement to notify and how to notify not just using not just the requirements of HITECH, but also the requirements as stated in state data breach notification laws.

For example, you may find that based on your risk assessment, that HITECH requires notification. But you may also find that in some states, the timeframe for notification is shorter than the 60 days from discovery of incident that is required by HITECH. In other words, you must look at your breach notification requirements both under HITECH as well as under each state law where you have patients that were affected by the incident.

Needless to say, this is a complex process and you would be well advised to document your processes and decisions very carefully. You really don’t want to be the target of one of those $1.5MM fines that are beginning to surface.

It is terrific to see that a recent discussion forum of healthcare CIOs concluded that “human foibles” are likely to continue to contribute to data breach incidents in healthcare.The CIOs were on an e-health panel at the MIT Sloan CIO Symposium in Cambridge, Mass.

As noted by InformationWeek Healthcare:

“While advancements in security technology better protects patient data, and regulations like HIPAA aim to set rules for information security and privacy, some breaches boil down to humans making mistakes. ‘Everything in our environment is encrypted,’ said William Fandrich, senior VP and CIO at Blue Cross Blue Shield of Massachusetts. However, despite solid attempts at security protection and other precautions, healthcare organizations need to emphasize–and continue to remind–employees about simple things they need to do to prevent patient privacy breaches.”

We continue to find that organizations turn primarily to technology to solve the data breach “problem”. This is exemplified by the perspective that once all data is encrypted, that data breach risks will be eliminated. It is great to see the thoughtfulness of healthcare CIOs at this conference where there is a prominent recognition that human error (and of course, human fraud) is a weak link for data breach risks despite the best of technologies applied.