In Part One of this series of articles discussing the basic considerations of Incident Response best practices, we began with understanding who is required to report a security incident to regulatory authorities, government agencies, or consumers/patients. In Part Two, we review when an incident must be reported. In future articles we will also consider what is to be reported/documented and where different reporting requirements come into play.
Disclaimer, Loricca is not a law firm and does not provide legal advice. The nuances of regulatory language and of each organization’s unique situation related to a potential breach can be extremely complex. We made these guidelines to give you a general reference to use guiding your team’s Incident Response & Reporting Strategy in the right direction.
Notification of Breach Under HIPAA
A breach is the inappropriate use or disclosure of a patient’s personal health information (PHI). If the company can prove that stolen or mishandled data was effectively encrypted, destroyed immediately after the loss or de-identifiable and therefore could not have been accessed, a breach may be avoided.
If a breach is deemed to have occurred or if you cannot reasonably prove that encryption, destruction, and/or de-identification prevented it, your Breach Response Plan should be initiated immediately. A key part of that plan needs to be notification of affected individuals, regulators and media as necessary. This portion of your plan may need to be handled with or by your marketing and/or legal teams.
Notification to Individuals
According to HIPAA provisions in the Breach Notification Rule, any compromised patient data necessitates notification to the affected individual. HHS requires this notification to individuals to take place within 60 days and, in some cases, notification to the media is required as well. Many states have different reporting requirements which may be more aggressive.
Notification to the Secretary of Health and Human Services
After notification is made to affected individuals and, as appropriate, the media, the Secretary of HHS must be notified as well. For breaches affecting fewer than 500 people, notice to the Secretary may be made within the calendar year. Any breach affecting more than 500 individuals must be reported to the Secretary within 60 days. Such breaches are kept in an online breach listing here.
This 60 day window should be specified in your Incident Response Plan so that it is not missed. In a future article, we will look more closely at what this notification should include and the documentation you should maintain.
To help you determine next steps when faced with a security incident and potential breach, use this simple decision tree.
Notification Required by Business Associate Agreement
If a breach takes place within the systems of a third party vendor or fourth party subcontractor, is it your responsibility to report that breach? This may be a gray area because the 2013 Omnibus Rule makes the Business Associate (BA) fully responsible for compliance and the security of data in its possession. But the Omnibus Rule also requires the original Covered Entity (CE) to maintain a Business Associate Agreement (BAA) with each vendor who may come to possess patient information.
This agreement needs to specifically explain the BA’s commitment not just to the security of the data but also to reporting to you any compromise of that data. We recommend that our clients require immediate notification by any BA in the event of a breach or loss of data of any size. If there is not a solid BAA in place, the CE and BA both risk compliance trouble. In the absence of a detailed agreement, you have no clarity established regarding each party’s obligation to the other and, should a breach occur, the lack of the required BAA will only exacerbate potential regulatory penalties.
If the expectations are not specifically outlined in a BAA, you cannot be assured of the vendor’s compliance or the security of your patient’s information. Further, we recommend you take action to verify compliance with high-risk vendors. Trusting patient information to a third or fourth party vendor without insisting that they manage security and compliance to your expectations place your organization at higher risk. Asking for such assurances is not an excessive burden on your vendors, it is a requirement of HIPAA compliance.