Are you prepared if a breach happens to you? Hopefully, you already have a plan in place and know exactly what to do. For those of you who don’t have a plan, this blog will help you prepare.
First, let’s identify whether the incident is really a breach or if it is a false alarm.
What is Considered a Breach?
HHS defines a breach as-
“The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
The reason I bring this up is that you will notice this definition has been updated with the Omnibus Ruling, and removes the “Harm Standard.” This means if you have a release of information of any kind, be it a fax or email to the wrong person, malware attack, loss of unencrypted device, etc., you have to treat it as a breach. This is different from the early version of the law which required you to prove the information had been compromised. Now, it’s presumed a breach unless you prove it to be otherwise.
Steps to Mitigating a Breach
Health and Human Services expects that you have the processes for responding to a breach in place BEFORE you have a breach. This should be part of your HIPAA Compliance Plan so you aren’t caught flat-footed when a breach happens! These are the steps for creating a breach plan.
Step 1- Perform A Risk Analysis (DIFFERENT THAN A RISK ASSESSMENT)
This is important first step, and is required by HIPAA. This needs to be conducted quickly and as thoroughly as possible. You are going to be looking for the following items
- When did the breach start and end
- Discovery date of the breach
- Approximate number of individuals that were affected
- Type of breach-
- Hacking/IT Incident
- Improper disposal of devices or records
- Loss
- Theft
- Unauthorized Access/Disclosure
- Location of the breach
- Type of PHI involved-
- Clinical
- Demographic
- Financial
- Other
As you review all this information, you will have a good idea of what happened, and whether it was actually a breach.
Step 2-Contact the Authorities
At this point, if you’ve discovered that indeed this is a breach, and if you determine a criminal act has transpired, you will need to contact your local authorities. For malware issues, you may be referred to the FBI. You can file complaints with the FBI here- https://www.ic3.gov/complaint/default.aspx/
Step 3 – Notify Clients
You must notify each client or employee by US mail, unless you have clearly put in your Notice of Privacy Practices that you will send these notifications by email, and the client/employee has signed off on this method. Email notification can save you a lot of time and money, so we recommend that you put this notification clause in the NPP. To add this clause, contact your lawyer, or look at the Total HIPAA sample to make sure this is properly laid out in your NPP.
The Substitute Notice- This is required when you cannot reach 10 or more individuals by your primary notification channel. Now you have 2 options. You can either post the Notice to your website home page for 90 days, or you can contact local media outlets and have them post the breach notification.
What is Required to be in the client/employee notification?
- A brief description of what happened, the date of the breach and the date the breach was discovered.
- A description of the types of unsecured PHI involved in the breach (name, address, date of birth, SSN, health information, treatment codes, etc.)
- The steps individuals should take to protect themselves from potential harm. The action could be different for each incident.
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate damage and to protect against future breaches.
- Contact procedures for individuals to ask questions or learn additional information, a phone number, an email address, website or postal address.
Step 4 – Notifying HHS of the Breach, or The Rule of 500
Under 500
If you have a breach of fewer than 500 client/employees’ information, you are not required to notify HHS at the time the breach is discovered. You would document all the items described above and hold the HHS notification until the end of the calendar year. You are required to notify HHS within 60 days of the last day of the year. Here is the link for filing with HHS at the end of the year-
https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
Over 500
If you have a breach of OVER 500 clients/employees’ Protected Health Information, you are required to notify HHS immediately. You should also look at this list of the individual state breach notification requirements that NueMD generated. Many states, such as California, require that you notify the Attorneys General’s office for breaches of over 500 client/employees’ information. As always, check with your attorney if you have any questions about your specific state’s notification requirements.
https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
What Happens if You Don’t Self-Report a Breach?
If you are audited, and it is discovered that you have not self-reported breaches, this falls under the Willful Neglect, and fines start here at $10,000 per violation. As you can see self-reporting is the better action here.
HHS Fines
| Violation | Fines |
| Did Not Know | $100-$50k/Violation, up to $1.5 M/ year |
| Reasonable Cause | $1k-$50k/Violation, up to $1.5 M/ year |
| Willful Neglect-Corrected | $10k-$50k/Violation, up to $1.5 M/ year |
| Willful Neglect-Not Corrected | $50k/Violation, up to $1.5 M/ year |
Exceptions to Notification Rules
Law enforcement officials may ask the Covered Entity to refrain from posting any notification if they believe it could impede a criminal investigation or may cause damage to national security.
What happens if your Business Associate is responsible for a Breach?
Unfortunately, this is happening more and more, and though you have a Business Associate Agreement in place, this could still open you up to an audit from HHS. This is because of the Common Agency Provision in the Omnibus Ruling.
We recommend that you have a clause in your Business Associate Agreement that states your BA will notify you within 15 days of a suspected breach of information. If you are the Covered Entity, it is best that you take the lead on client/employee notification. Make sure you get a full report from your Business Associate/ BA Subcontractor, and what they are doing to address the breach. It’s important that you communicate all relevant information to your clients/employees so they can protect themselves.
Conclusion
We hope that you never have to face a breach, and that this blog is a reference you never have to use. But, we’ve been seeing more and more businesses become the victims of hacks, malware attacks, lost devices, and employee negligence. This is why it is so important to have a plan in place before you have an issue, and hope you never have to use it, versus having an issue, and no plan of action. Having this plan can save you time, stop the damage of a breach faster, and ultimately save you money. If you have questions on how to create any required documents, please send us a note, and we can assist you in creating what you need.
