Into the Breach: Identifying and Addressing a HIPAA Security Breach - Bim Group

Into the Breach: Identifying and Addressing a HIPAA Security Breach

Compliance Alert, HIPAA

Share this post:

Linkedin

READ TIME: 4 MINUTES

Cybercrimes and attacks on personal data continue to escalate, and threats to sensitive employee data maintained by employee benefit plans are at an all-time high. The Office of Civil Rights (OCR) recently disclosed that hacking and information technology incidents remain the largest category of Health Insurance Portability and Accountability Act of 1996 (HIPAA) breaches, comprising an astounding 68% of all reported breaches for 2020.

OCR strongly recommends that covered entities redouble efforts to comply with HIPAA’s Security Rule, including standards and implementation specifications for risk analysis and risk management, information system activity review, audit controls, security awareness and training, and authentication. But what happens even when a covered entity has taken required steps to protect its data and a breach still occurs? These helpful tips can help a covered entity deal with a HIPAA breach — in the moment as well as during the aftermath.

Identifying a Breach

Under HIPAA’s Breach Notification Rule, a covered entity first must determine whether a reportable breach has occurred. HIPAA defines a breach as any unauthorized acquisition, access, use, or disclosure of protected health information (PHI) unless the covered entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. This risk assessment must address at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of
    re-identification
  • The unauthorized person or persons who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to the PHI has been mitigated

However, HIPAA regulations also specifically exclude any:

  • Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if made in good faith and within the scope of authority, and if not further impermissibly used or disclosed.
  • Inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, and the information is not further impermissibly used or disclosed.
  • Disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.

This determination is complicated and fact-intensive and should be made through a covered entity’s security officer working with expert legal counsel. It will also be important to include your IT department as well as human resources and any other individuals who will help form the content and delivery of required notices to be sure to control the timing and nature of the message.

Individual Notice

Covered entities who identify a security breach must notify affected individuals without unreasonable delay and no later than 60 calendar days following discovering the breach. Covered entities must provide written notice by first-class mail to the last known address of the individual or, if the individual agrees to electronic notice, by email. If the covered entity knows an affected individual is deceased and has the address of the next of kin or personal representative of the individual, then the covered entity must provide written notification to the next of kin or personal representative.

The required notice must include:

  • A brief description of what happened, including the date of the breach and the date of discovery of the breach
  • A description of the types of unsecured PHI involved in the breach
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach
  • A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches
  • Contact information for individuals to ask questions or learn additional information

Media Notice

For breaches involving more than 500 residents in the same geographic area, a covered entity must notify prominent media outlets serving that area. This media notification must be provided without unreasonable delay and no later than 60 calendar days following the discovery of a breach and must include the same information as that required for the individual notice.

Notice to the Secretary

In addition to notifying affected individuals and the media (where necessary), a covered entity must notify the Secretary of the Department of Health and Human Services (HHS) of breaches of unsecured PHI. If a breach involves 500 or more individuals, a covered entity must notify the Secretary at the same time the affected individuals are notified of the breach.

If a breach involves fewer than 500 individuals, covered entities may submit reports of such breaches on an annual basis. Reports of breaches involving fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered.

Covered entities must notify the Secretary by filling out and electronically submitting a breach report form on the HHS Department website.

Address Deficiencies

After discovering and, if necessary, communicating a breach, affected covered entities should carefully analyze the findings of any breach investigation. Covered entities should perform a security risk assessment (or review the most recent risk assessment) and incorporate any items gleaned from the breach investigation. This will demonstrate good faith compliance in the event of any future investigation or audit, and it also will make it less likely that an entity remains vulnerable to the same or similar security threat that resulted in a breach. This will allow a covered entity to modify its breach incident policies and procedures and reeducate members of an entity’s HIPAA security and beach response team.

Conclusion

OCR continues to ramp up enforcement efforts and is currently considering public comments on how to best distribute monetary penalties and other settlement amounts to affected individuals. As data security continues to drive the agency’s agenda, now is a perfect time for employer plan sponsors to make sure they have comprehensive HIPAA policies and procedures in place, including a thorough security risk assessment and breach response plan.

 

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

April 22, 2024
News

Do You Know Where Your Employees Are? Managing Taxes for a Growing Remote Workforce

READ TIME: 5 MINUTES Remote work remains a growing focus of employers with employees increasingly seeking jobs that permit remote or hybrid work arrangements. Though the flexibility and benefits of remote work for employees is highly desired, it comes with some additional considerations and potential tax complications for the employer. State Income Tax Withholding Considerations […]
Read more
April 22, 2024
COBRA, Compliance Alert

Group Health Plan Guide to COBRA

The Consolidated Omnibus Budget Reconciliation Act (COBRA) gives workers and their families who lose their health benefits due to job loss, reduction in hours, death, divorce, and other life events the right to choose to temporarily continue health benefits provided by their group health plan. This guide includes: Employers required to offer COBRA Plan types […]
Read more
April 8, 2024
HIPAA

Timely Responses Required for Requests under HIPAA’s Right of Access Rule

READ TIME: 4 MINUTES On December 15, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), announced a settlement under the Health Insurance Portability & Accountability Act (HIPAA) Right of Access Rule. This penalty illustrates that the Right of Access Rule remains a focus of HHS and that health […]
Read more
April 8, 2024
Compliance Alert

March 2024 Compliance Recap

READ TIME: 7 MINUTES ACA reporting is in its first year of the required electronic reporting for employers filing ten or more returns annually. Employers and employees must make changes to HSAs by the April 15 deadline. Employers of all sizes continued to prepare for the June 1 RxDC Reporting using the newly released instructions. […]
Read more