The recent ruling by U.S. District Judge Legrome D. Davis in the case of Allison v. Aetna is another proof point that the threat of identity theft caused by a data breach is not sufficient grounds for litigation.  No damages equates to no victims, which mitigates one of the major risks of a breach.

Best practice suggests performing an incident risk assessment to determine the potential risk of harm to individuals when a breach of PII or PHI occurs. We suggest looking at the sensitivity of the data disclosed and the specific context of the breach which will provide an incident risk level. Using these two dimensions of risk provides a consistent basis for determining the potential risk of harm.

An example of this approach is a recent breach of medical records from a large hospital. The breached records included name, address, medical ID number, and diagnosis. No social security numbers were disclosed. By definition this is protected health information.

Would the disclosure of this information create a potential risk of harm for the individuals affected, triggering breach notification under the HITECH Act?

The sensitivity of this data may be low if these were adults, but upon further investigation we found that this information belonged to children, many of which were wards of the state. The information had psychiatric data. All of these facts leads to an assessment that the sensitivity of the disclosed information creates high risk.

To evaluate the incident breach risk, we looked at how the breach happened. In this case, an employee had received a new laptop. The policy for this hospital was to encrypt all laptops. However, upon investigation, IT discovered that the employee had removed the laptop from the network before the encryption process had completed, leaving the records unencrypted. The employee had left the laptop in the trunk of their car in their garage. Unfortunately, the employee’s garage and car was broken into. The employee discovered the theft when they returned from vacation and reported it to the hospital. The context of this incident warranted a high level assessment of risk when you evaluate both the sensitivity of the data and the context of the breach.

This hospital made the decision to notify the affected patients because of the potential risk of harm. Will these patients fall victim to identity theft creating a potential legal risk? It is hard to tell, but 5 years or 10 years from the date of the breach, some number of these affected patients will be victims of identity theft. Best practice is to have notified individuals and provided them with information and tools to protect themselves.

ID Experts today announced RADAR (HITECH Risk Assessment, Documentation and Reporting), the industry’s first expert software tool to measure a data breach incident’s risk index (IRI) by combining the severity of the episode and the sensitivity of the exposed data to quantify the incident’s overall harm threshold.  Designed for healthcare providers, HIPAA covered entities, and their business associates, RADAR was developed to efficiently and consistently meet all of the requirements for complying with the HITECH Act data breach notification provisions for security and privacy breach incident harm threshold assessment, documentation and reporting.

Security breaches are now remarkably commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010.  In fact, healthcare is the second most breached industry, according to the Identity Theft Resource Center.  And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive.  Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats and medical identity theft.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a leading researcher and voice in addressing data breach risks and issues, noted about RADAR that:

“Organizations may need guidance, especially when dealing with PHI breaches, so they cover their bases to protect individuals and follow all of the rules and laws. ID Experts’s RADAR new tool offers consistency and efficiency for evaluating and reporting a security breach, and provides the analysis and documentation required of a mandated risk assessment.”

Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.  The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.

RADAR is current in beta test with several leading US healthcare providers and will be generally available in August, 2010. RADAR is available as software-as-a-service on a subscription basis with pricing starting at $1,500 per user per year.

This article is reprinted from Healthcare IT News with the author’s permission.

The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents.

If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should:

1. The requirement for a mandatory incident-specific risk assessment for every incident
2. The fact that HITECH notification provisions do not pre-empt state notification laws
3. Encryption of data does not necessarily alleviate the risk of data breach
4. If your business associate exposes your protected health information (PHI), you are responsible

1. Mandatory incident-specific risk assessment. When HHS issued its Interim Final Rule giving healthcare organizations guidance for complying with the HITECH Act data breach provisions, it added a new requirement.  The requirement is that the organization carry out an incident-specific risk assessment to determine the potential risk of harm to the individuals affected by each and every data breach incident.  The rules establish a “harm threshold” for notification, but unfortunately, don’t make the determination of risk and the potential of harm. It is essential to become well versed in these rules and be prepared to carry out a HITECH compliant data breach incident risk assessment.

2. HITECH doesn’t pre-empt state notification laws. While HITECH is the first national law for notification in the case of privacy information breaches, most U.S. states also have breach notification laws.  And while the intent of these laws is similar — to make individuals aware that their PHI may have been improperly disclosed — the specific details in all of these laws can actually vary a great deal.  But because HITECH is not “preemptive,” a healthcare organization that has experienced a data breach must ensure that it complies with both HITECH regulations as well as the regulations in every state where individuals are affected.  This can be daunting especially because HITECH and state laws in some cases are conflicting.

3.  Encryption not a silver bullet. There is a lot of advocacy for encryption of PHI as a means to avoid data breach incidents.  The general argument is that if data is encrypted, that data breaches will not occur.  Unfortunately, this is overly simplistic. While encryption will assist healthcare organizations in avoiding certain types of data breach incidents, it is not a panacea.  For instance, a common threat approach is for a criminal or organized crime entity to enlist an “insider” to assist in extracting PHI.  An insider with valid access credentials will not find encryption to be an obstacle in any way.  As a result, consider encryption one of many tools for information protection, not a silver bullet.

4.  You are responsible for your business associate. For the first time, HIPAA business associates are required to meet the HIPAA Privacy and Security Rule requirements based on HITECH.  While this is a good thing, a covered entity should not consider this a “free pass” if one of your business associates exposed PHI that was provided by your organization.  While you may be able to hold them financial accountable, if you’ve specified for such eventualities in your business associate agreements, the obligation for notification is still with the covered entity.  It is your responsibility to maintain the privacy for the PHI, no matter to whom you entrust it. And of course, the affected patients will hold you responsible as well.

As you put processes and procedures in place to meet HITECH obligations, consider also putting in place a comprehensive and current data breach incident response plan.  This will prevent a lot of headaches and last-minute scrambling, should you be faced with a data breach.

A recently published article in Healthcare IT News  highlights aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act that may have escaped your attention.

Titled “Three things you may not know about the HITECH Act…but should“, the article hones in on aspects of the rulemaking from the US Department of Health and Human Services that healthcare organizations must follow in determining whether a privacy breach incident meets the requirements to notification.

HITECH is known primarily for the manner in which it motivates healthcare providers to implement electronic health records (EHR) systems. But as more and more of our medical information is going online, the Act also wisely enhanced the privacy and security provisions that are required of healthcare providers and added penalties and enforcement mechanisms for the breach of private healthcare information.

One of the three things you may not know, per this article, is that when your organization experiences a potential privacy incident, that you are required to carry out a “risk assessment” in order to determine the nature of the protected health information (PHI) that was disclosed, and whether it poses a risk of harm to the affected patients.Based on the results of this risk assessment, your organization may or may not be obligated to notify the affected individuals, along with HHS and the media. So this assessment process is very important.

Unfortunately, the risk assessment process is not at as well defined or straightforward as might be hoped. And this gets to one of the 2nd items that you may not know about in HITECH. In carrying out a risk assessment, the goal is to determine whether there is a risk of financial, reputational or other harm to the patients affected. And in this process, not all PHI is created equally, and in fact, you must consider the nature of the information disclosed in a manner that is situationally aware.

For instance, disclosure of a persons name and their medical procedure may not be cause for any risk of harm if the procedure was having a bunion removed. However, if the procedure was for the diagnosis of AIDS, disclosure of this information could result in substantial harm. As a result, it is not just the data types that need to be considered, but the nature of the data and the environment of their release. Not at all straightforward.

And then the 3rd thing that you may not know about HITECH from this article is that its data breach notification provisions don’t “preempt” those of each of the states. In fact, if your organization experiences a data breach, you need to assess the requirement to notify and how to notify not just using not just the requirements of HITECH, but also the requirements as stated in state data breach notification laws.

For example, you may find that based on your risk assessment, that HITECH requires notification. But you may also find that in some states, the timeframe for notification is shorter than the 60 days from discovery of incident that is required by HITECH. In other words, you must look at your breach notification requirements both under HITECH as well as under each state law where you have patients that were affected by the incident.

Needless to say, this is a complex process and you would be well advised to document your processes and decisions very carefully. You really don’t want to be the target of one of those $1.5MM fines that are beginning to surface.