READ TIME: 4 MINUTES
Cybercrimes and attacks on personal data continue to escalate, and threats to sensitive employee data maintained by employee benefit plans are at an all-time high. The Office of Civil Rights (OCR) recently disclosed that hacking and information technology incidents remain the largest category of Health Insurance Portability and Accountability Act of 1996 (HIPAA) breaches, comprising an astounding 68% of all reported breaches for 2020.
OCR strongly recommends that covered entities redouble efforts to comply with HIPAA’s Security Rule, including standards and implementation specifications for risk analysis and risk management, information system activity review, audit controls, security awareness and training, and authentication. But what happens even when a covered entity has taken required steps to protect its data and a breach still occurs? These helpful tips can help a covered entity deal with a HIPAA breach — in the moment as well as during the aftermath.
Identifying a Breach
Under HIPAA’s Breach Notification Rule, a covered entity first must determine whether a reportable breach has occurred. HIPAA defines a breach as any unauthorized acquisition, access, use, or disclosure of protected health information (PHI) unless the covered entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. This risk assessment must address at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of
- The unauthorized person or persons who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
However, HIPAA regulations also specifically exclude any:
- Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if made in good faith and within the scope of authority, and if not further impermissibly used or disclosed.
- Inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, and the information is not further impermissibly used or disclosed.
- Disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.
This determination is complicated and fact-intensive and should be made through a covered entity’s security officer working with expert legal counsel. It will also be important to include your IT department as well as human resources and any other individuals who will help form the content and delivery of required notices to be sure to control the timing and nature of the message.
Covered entities who identify a security breach must notify affected individuals without unreasonable delay and no later than 60 calendar days following discovering the breach. Covered entities must provide written notice by first-class mail to the last known address of the individual or, if the individual agrees to electronic notice, by email. If the covered entity knows an affected individual is deceased and has the address of the next of kin or personal representative of the individual, then the covered entity must provide written notification to the next of kin or personal representative.
The required notice must include:
- A brief description of what happened, including the date of the breach and the date of discovery of the breach
- A description of the types of unsecured PHI involved in the breach
- Any steps individuals should take to protect themselves from potential harm resulting from the breach
- A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches
- Contact information for individuals to ask questions or learn additional information
For breaches involving more than 500 residents in the same geographic area, a covered entity must notify prominent media outlets serving that area. This media notification must be provided without unreasonable delay and no later than 60 calendar days following the discovery of a breach and must include the same information as that required for the individual notice.
Notice to the Secretary
In addition to notifying affected individuals and the media (where necessary), a covered entity must notify the Secretary of the Department of Health and Human Services (HHS) of breaches of unsecured PHI. If a breach involves 500 or more individuals, a covered entity must notify the Secretary at the same time the affected individuals are notified of the breach.
If a breach involves fewer than 500 individuals, covered entities may submit reports of such breaches on an annual basis. Reports of breaches involving fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered.
Covered entities must notify the Secretary by filling out and electronically submitting a breach report form on the HHS Department website.
After discovering and, if necessary, communicating a breach, affected covered entities should carefully analyze the findings of any breach investigation. Covered entities should perform a security risk assessment (or review the most recent risk assessment) and incorporate any items gleaned from the breach investigation. This will demonstrate good faith compliance in the event of any future investigation or audit, and it also will make it less likely that an entity remains vulnerable to the same or similar security threat that resulted in a breach. This will allow a covered entity to modify its breach incident policies and procedures and reeducate members of an entity’s HIPAA security and beach response team.
OCR continues to ramp up enforcement efforts and is currently considering public comments on how to best distribute monetary penalties and other settlement amounts to affected individuals. As data security continues to drive the agency’s agenda, now is a perfect time for employer plan sponsors to make sure they have comprehensive HIPAA policies and procedures in place, including a thorough security risk assessment and breach response plan.
This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.