HIPAA and Cybersecurity - Part Two / Breach Response
HIPAA and Cybersecurity - Part Two / Breach Response

As mentioned in Part One of this two-part discussion on the Health Insurance Portability and Accountability Act (HIPAA), HIPAA has become a pervasive force within the practice of medicine.  All health care providers should be conducting some form of meaningful annual training with their employees.  In Part One, we discussed hacking and criminal behaviors targeted at health care companies, and those will always be very difficult to anticipate and prevent.  By contrast, health care providers can do a great deal to avoid the kinds of internal HIPAA violations – usually committed by employees – which encompass most of the HIPAA violations seen by health care lawyers every day.

These kinds of “self-inflicted” violations include, but certainly are not limited to, employees talking about a patient’s diagnosis or test results with an unauthorized individual, posting about patients on social media and carelessly sending medical records to the wrong individual.  HIPAA is a very complex set of regulations with many rules (and exceptions), and these are just a few of the more routine violations that we see.  If you have more specific questions about what constitutes a violation of HIPAA, it is best to consult a health care lawyer, such as those of us within the Bowles Rice Health Care Group.  Also, while the purpose of this discussion is to lay out the foundation for responding to any suspected HIPAA breach, it is recommended that you seek the assistance of experienced legal counsel because of the considerable fines and other penalties associated with HIPAA violations.

Under the regulations of the Department of Health and Human Services (HHS), “[b]reach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” See 45 C.F.R. § 164.402.  In other words, a breach occurs where (1) protected health information (PHI) has been acquired, accessed, used or disclosed to a person under circumstances that are not authorized by law, and (2) as a result, there is a compromise of the security or privacy of that PHI.  Patient names (first and last name, or last name and initial) are just one of the eighteen (18) identifiers classified as PHI in the HIPAA Privacy Rule.

Once it is determined that a breach of PHI has occurred, the health care provider must determine who, if anyone, it must alert to the breach.  Based on the scope of the breach, HIPAA contains notification requirements, including notifications to the patient or patients whose information has been compromised and to HHS.  This decision to notify, or not, is often a difficult one.  On the one hand, the notification might expose the health care provider to fines and formal corrective action plans, as well as the potential lawsuits for state negligence or breach of privacy claims.  Assuming the health care provider elects to report, HHS or the Office of Civil Rights (OCR) likely will conduct its own investigation into the breach and may find other issues or violations.  On the other hand, the failure to comply with the requirements of HIPAA can result in stiffer penalties, including criminal charges, along with the penalties associated with any state-level data breach reporting statutes.

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: 

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated. 

Each health care provider facing a potential HIPAA breach must undergo this, or a substantially similar, risk assessment, and it should be noted that the health care provider must document its actions regardless of whether the incident is a notifiable breach.

If the decision to notify is made, individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.  The notification must include, to the extent possible, a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; and a brief description of what the health care provider is doing to investigate the breach, mitigate the harm and prevent further breaches.  These notifications must also provide the contact information for someone at the health care facility who will be available to answer patient questions regarding the breach.  Additionally, the health care provider must notify the Secretary of HHS of breaches of unsecured PHI affecting less than 500 people within 60 days of the end of the calendar year in which the breach was discovered.  Notices may be submitted online through the OCR’s portal.

In the end, a health care provider likely cannot prevent every HIPAA violation, especially as it gets bigger and adds more employees.  However, health care providers can work with health care lawyers to do their due diligence in trying to minimize the risks of a breach.  Such steps include reviewing and/or instituting strong policies regarding patient privacy and the confidentiality of PHI; strictly enforcing existing policies and carefully documenting disciplinary actions against violators; training all new employees regarding HIPAA and committing to at least annual refreshers for existing employees; and promptly investigating all reports of potential breaches.  Acting quickly in response to a complaint shows that the health care provider takes confidentiality seriously, and it provides the health care provider the best opportunity to address small problems before they can become larger issues.