Organizations both within and adjacent to healthcare need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One major component of HIPAA compliance is preventing breaches. However, if one appears to have happened, a breach determination and risk assessment will determine whether you need to follow Breach Notification requirements.
Understanding HIPAA Breach Determination and Risk Assessments
The HIPAA Breach Notification Rule specifies that any violation of the Privacy or Security rules, or any unauthorized disclosure of Protected Health Information (PHI), is assumed to be a breach. However, there are exceptions to that classification.
The only way to prove that an incident is an exception and not a breach proper is to conduct a breach determination and risk assessment. To understand how this works, you need to know:
- What the assessments are and what factors they consider
- What requirements apply when a breach is determined
- What other HIPAA rules relate to breaches and how
This information will help you prevent breaches and prepare for assessments and any requirements you’ll need to follow if a breach does occur.
What is a Breach Determination and Risk Assessment?
Per the Breach Notification Rule, a breach is any use or disclosure of PHI that is unauthorized or impermissible. The Privacy Rule establishes what makes any given use of PHI appropriate, and the Security Rule builds upon these protections for electronic PHI (ePHI).
In practice, allowing unauthorized use of PHI means the Privacy and/or Security rule has been broken, and a breach has occurred. However, there are three exceptions that may apply:
- Exception 1 – This applies if there is unintentional unauthorized access of PHI by staff working under and within the scope of a Covered Entity’s authority and in good faith.
- Exception 2 – This applies if there is inadvertent sharing of PHI between parties authorized to access it, provided there are no further uses beyond that disclosure.
- Exception 3 – This applies if the Covered Entity has reason to believe (and can prove) that the parties to whom PHI was disclosed would be unable to retain the information.
These exceptions mean the probability of risk is low enough that no notification is required.
Breach determination and risk assessments are conducted by Covered Entities when a breach appears to have happened. They may work independently or with an external assessor, using any breach risk assessment tool they choose, to analyze breach risk.
Breach risk is determined using a four-factor analysis, providing documentation for one or more of the factors to make a case that Breach Notification requirements should not apply.
Factor #1: Was the Information Unsecured PHI?
The first factor to analyze involves the actual information that was exposed to an unauthorized individual or organization. HIPAA breaches, by definition, need to involve unsecured PHI.
Per the Privacy Rule, PHI comprises any information that identifies an individual and is related to their health conditions, health treatment they’ve received, or payments made for their treatment. To be rendered secure, PHI needs to be made unusable through encryption, as described in the Security Rule. Or, the media on which it’s stored needs to be destroyed.
Additionally, de-identified information is not subject to protection and cannot trigger a breach.
In your assessment, you need to determine whether the information shared is PHI and if it is unsecured. If neither of these is true, Breach Notification requirements may not apply.
Factor #2: Who Accessed the PHI, and to What Extent?
Next, you’ll need to analyze the particular parties to whom the information was disclosed. The purpose of this step may seem straightforward, but it actually assesses several sub-factors:
- Are the entities to whom PHI was disclosed authorized to access it?
- Are the entities able to identify any individuals the PHI relates to?
- Are the entities under an obligation to protect the PHI, as well?
If you can make a case that the entity who accessed the PHI was authorized to do so, was unable to identify who it concerns, or is under similar obligations to protect it from compromise, then a breach exception may apply. Breach Notification requirements may not apply to you.
Factor #3: Was the Unsecured PHI Used by the Entity?
The next factor is somewhat nebulous. It concerns whether the PHI in question was actually accessed, viewed, or otherwise used by the entity in question or if there was just an opportunity for that access to occur that never materialized. Technically speaking, any instance in which an unauthorized party has the ability to access PHI is (potentially) a breach.
However, a breach can only be said to have occurred—or caused enough risk to warrant notification—if the information in question was actually accessed.
This is difficult to prove, as a lack of evidence that access did happen does not constitute proof that access did not happen. Regardless, if you can provide convincing evidence that actual access probably didn’t happen, Breach Notification requirements may not apply.
Factor #4: To What Extent Have Risks Been Mitigated?
Finally, you round out your assessment by analyzing what risk remains for any individuals identified in the PHI disclosed, after any mitigation measures taken by the Covered Entity.
Some common approaches to mitigating risk include contacting the individuals or organizations to whom it was disclosed and requesting that they destroy or return the information in question. You also may request a formal attestation that this happened, or a binding agreement that the entity will not use or disclose the PHI in any other way to any other parties.
Like Factor #3, this is hard to prove. Nevertheless, taken together with the other factors, it could result in Breach Notification requirements not applying.
What are the Breach Notification Rule Requirements?
If an unauthorized party accesses PHI that you are responsible for, and none of the exceptions above apply, you’ll need to follow the Breach Notification Rule requirements. These can vary depending on the severity of the breach and the number of people impacted, but the primary burden is providing three forms of Breach Notification (see below).
Beyond providing notice, Covered Entities also need to retain documentation that they sent the notifications or that it was not necessary to do so (i.e., documentation of your assessment).
HIPAA also requires that Covered Entities account for Breach Notification in their administrative policies. You need to have formal rules and procedures in place to ensure timely notice is sent and employees are trained with respect to their responsibilities. These requirements apply passively, irrespective of whether or not a breach has occurred.
Notify All Parties Impacted by the Breach
If a HIPAA breach has occurred, you need to notify every individual it impacts, and it needs to happen as soon as possible—namely, no later than 60 days after the breach is discovered.
The notice should include information about the breach, including but not limited to:
- What kinds of information were involved, and how much
- What the impacted individuals can do to protect themselves
- What the Covered Entity is doing to minimize potential harm
- Whom the impacted individual can contact to learn more
Also, the form that Individual Notice takes may vary.
HIPAA requires formal, written communication via mail or email. If you lack current contact information for fewer than 10 individuals, you may substitute other forms of communication such as phone calls. If you lack contact information for 10 or more impacted individuals, you need to post a notice on the homepage of your website for 90 days or notify the media (see below).
Notify the HHS Secretary, Immediately or Annually
The Secretary of the HHS also needs to be informed of all HIPAA breaches. How and when you need to provide this notice depends on the severity of the breach itself. If the breach impacts 500 or more individuals, you’ll need to follow the same timeline for Individual Notice. If fewer than 500 people were impacted, you can notify the Secretary on an annual basis, within 60 days of the end of the calendar year in which the breach in question occurred.
Whether or not a breach is determined to have occurred, you’ll need to be in touch with the HHS Secretary. You’ll either report a breach or provide evidence that it doesn’t need to be reported.
Notify the Media in the Case of Large HIPAA Breaches
If a HIPAA breach impacts 500 or more individuals, you may also need to notify the media.
Specifically, this requirement comes into play if a breach impacts 500 or more individuals in one particular state or jurisdiction area. In these cases, Covered Entities need to notify prominent media outlets that service that area, such as local newspapers or channels. Media Notice generally takes the form of a press release.
As with Individual and Secretary Notice, Media Notice needs to happen within 60 days of the breach’s discovery. It does not take the place of Individual Notice, except in cases where a Covered Entity lacks current contact information for an impacted individual (see above).
What Other HIPAA Requirements Relate to Breaches?
As noted above, any violation of the Privacy or Security rules is assumed to be a breach by default, unless a breach determination and risk assessment shows that an exception applies.
Both the Privacy Rule and Security Rule are directly related to Breach Notification.
The Privacy Rule is the original and most critical pillar of HIPAA. It defines what PHI is and the parties to whom HIPAA applies. Namely, it details that Covered Entities include providers, plan administrators, and healthcare clearinghouses, along with their Business Associates.
The primary requirements of the Privacy Rule comprise preventing any sharing of PHI that falls outside the list of Permitted Uses and Disclosures:
- Disclosure to the subject of the PHI or a representative thereof
- Uses involving healthcare treatment, payment, and operations
- Use or disclosure after the subject is given a chance to object
- Incidental uses or disclosures related to other authorized ones
- Uses involved in public interest and public benefit activities
- Uses of limited data sets for scientific research or public health
The Privacy Rule also stipulates rules for authorizing disclosure through formal request by the subject of the PHI.
The Security Rule builds on these requirements, detailing administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI. It also requires taking proactive steps to protect PHI from anticipated threats.
Failure to uphold any of these requirements, or those of the Breach Notification Rule, may trigger penalties outlined in the Enforcement Rule. The HHS investigates violations and assesses Civil Money Penalties. In some cases, the Department of Justice is involved, and Criminal Penalties may also apply.
Other Considerations for HIPAA Compliance
If you are or work closely with a Covered Entity, another compliance framework you may need to account for is the HITRUST CSF. The CSF is an omnibus framework for security across many industries; its broad and deep protections account for HIPAA compliance, along with PCI, NIST, and many other regulations. Implementing the CSF streamlines your compliance across all frameworks, reducing overlap through the “assess once, report many” approach.
HITRUST is not a legally mandated regulation, like HIPAA. However, many healthcare payers and other industry players expect or require HITRUST certification from their partners. Working with a HITRUST advisor can help you optimize your overall security, minimizing the risk of HIPAA breaches and all other non-compliance violations.
Secure PHI and Avoid HIPAA Breaches
To recap, any organization in or around healthcare may qualify as a Covered Entity or business associate of one. If that applies to you, you’ll need to ensure any PHI you come across is secure. If you suspect a breach has occurred, you’ll need to conduct an assessment using the four factors above to determine whether Breach Notification requirements will apply.
If you need help preparing for or conducting breach determination and risk assessments, or optimizing any other element of healthcare compliance, contact RSI Security today!