HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule

7/30/2019 HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule

1/18

Pillsbury Winthrop Shaw Pittman LLP

HIPAA Data Breach Reporting

Requirements Under the Omnibus Rule

Gerry Hinkley

[email protected]

Allen Briskin

[email protected]


2/18

1 | HIPAA Data Breach Reporting

The purpose of this presentation is to

inform and comment upon legal and

regulatory developments in the health care

industry. It is not intended, nor should it beused, as a substitute for specific legal

advice inasmuch as legal counsel may only

be given in response to inquiries regarding

particular situations.


3/18

Breach Notification

HITECH established right of individual to be notified of breaches of PHI

Breach = the unauthorized acquisition, access, use or disclosure of [PHI]

which compromises the security or privacy of such information

Exceptions include inadvertent, good faith access or disclosures within aCE/BA if the data is not further subject to unauthorized use



4/18

IFR Breach Notification Standard

Interim Final Rule (IFR) CEs/BAs must notify of breaches of unsecured PHI

that cause a significant risk of harm to the data subjects

Harm includes financial & other harm; standard was controversial

Data correctly encrypted per NIST standards is not unsecured PHI Exceptions included limited data set with extra deletions



5/18

Omnibus Rule Breach NotificationStandard

Definition of breach is changed from IFR definition

An impermissible use or disclosure of PHI is presumed to be a breach unless

the covered entity or business associate demonstrates there is low probability

that the PHI has been compromised

Determining whether or not there is a low probability data has been

compromised requires analysis of what happened (or may have happened)

to the data

Limited data set exception deleted



6/18

Breach Notification Risk Assessment

CE/BA should perform risk assessment post-breach discovery and must

consider at least the following:

Nature and extent of PHI involved, including types of identifiers and

likelihood of re-identification

Who was the recipient of the PHI

Was the PHI actually acquired or viewed

The extent to which the risk to misuse of the PHI has been mitigated



7/18

Breach Notification Examples of RiskAnalysis Criteria

Likelihood of identification or re-identification:

a list of patient names not low probability

patient discharge data, patient not specified can patients be re-

identified? could be low probability (depends on the circumstances)

Who is the unauthorized recipient:

a HIPAA covered entity low probability, as long as you have evidence

the risk has been mitigated

an employer may be able to use personnel records to re-identify not

low probability



8/18

Breach Notification Examples of Risk AnalysisCriteria (2)

PHI actually acquired or viewed:

untampered with laptop low probability

information mailed to wrong person not low probability

Has improper use been mitigated:

satisfactory assurances of destruction from a known person low

probability



9/18

Breach Notification Burden of Proof

If no risk assessment performed, the default is notification

Burden of demonstrating low probability that PHI is compromised is on the

CE/BA

Decision not to notify must be documented in case of review



10/18

Breach Notification Obligations toNotify

CEs must notify individuals (although can delegate this to BAs)

BAs must notify CEs (including subcontractors of BAs that qualify as BAs

under the expanded definition of business associate)

Subcontractors should also be obligated to notify their contracting partner so

the information can go back up the chain



11/18

Breach Notification What Did NotChange

Definition of Unsecured Protected Health Information

When a breach is treated as discovered

Timeline for notifications

Content of notification

Methods of notification

Notification to the media and the Secretary (minor modification counting

from year of discovery)

Notification by Business Associate

Delay requested by law enforcement

Documentation and burden of proof

Pre-emption standard regarding state laws



12/18

HIPAA Breach NotificationRequirements

Without unreasonable delay: typically within 60 days of breach discovery

Record keeping of notifications

If imminent danger exists, notification by telephone or other means

First class mail or email if requested

Substitute notification if contact information is unavailable

If more than 500 residents of a state or region are affected disclose to

prominent media outlets

Immediate notice to Secretary of HHS if more than 500 individuals are

impacted and information is acquired or disclosed (not accessed)

Annual notice to Secretary if fewer than 500 individuals impacted

Notice may be delayed at the request of law enforcement



13/18

HITECH Notification Requirements

Two key questions to determine whether notification is required:

Did the event qualify as a defined breach?

Was the information protected by an encryptionlike technology?

Covered Entities (CE) or Business Associates (BA) must notify individuals if

unsecured personal health information has been breached.

Following a breach of protected health information, CEs must:

Perform and document probability of compromise assessment

Notify affected individuals, govt agencies and sometimes the media

BAs must notify a CE promptly of a breach of unsecured PHI

Some variation in notification laws across states, national standard proposed



14/18

State Laws

There are currently 46 state data breach laws, including D.C. and Puerto Rico

Generally, the duty to notify arises when unencrypted personal information

was acquired or accessed by an unauthorized person

Definition of Personal Information

Many states use the standard definition, but other states add dataelements such as health data, DOB, mothers maiden name, employee IDnumber, passport number or user name

A number of states require direct notification to state agencies

Most states require notification to credit reporting agencies

Some states breach notification laws contain harm thresholds

Notification is not required if there is no reasonable likelihood of harm to

affected individuals



15/18

Importance of Planning Policies &Procedures

Technology: measures to ensure all PII/PHI is secure

Leadership and individual responsibility

Limit employee/contractor access to minimums

Develop breach response plan and incident response team

Reconciliation with legal requirements Tracking of all data received and created including location

Education of workforce (before and after incidents)

Business Associate compliance

Amending BA agreements

Aligning processes and procedures



16/18

Policy Development

Processes for discovering breaches

Procedures and forms for reporting

Mechanisms for determining

if unsecured PHI/PII is involved

affected individuals

applicable notification requirements Processes for

determining appropriate mitigation

developing advice to affected individuals

creating and distributing notices

determining and creating other forms of communication

accounting for notification

reporting to Secretary of HHS



17/18

How do you Respond to a Data Breach?

Collaborative effort often requiring:

Appropriate role for Legal Counsel

Investigative Services

Industry and Data Knowledge

Computer Forensics

Database Forensics

Data Mining and Analytics

Notification of Impacted Individuals, regulators, etc.

Call Center

Crisis Management



18/18


Thank you

HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule

Documents

Transcript of HIPAA Data Breach Compliance: Reporting Requirements Under the Omnibus Rule