Getty Images

3 Compliance Considerations for HIPAA-Required Breach Response

With the rise in ransomware and other sophisticated cyberattacks, it’s crucial for providers to remain compliant with HIPAA guidelines when responding to a breach.

In the wake of a breach, navigating a response to quickly eradicate the hackers from the network and reduce the impact of an attack is no easy feat. But in the healthcare sector, ensuring a response is also compliant with HIPAA and other state and federal regulations further escalates response challenges. 

In January, research from Buck showed that many health plan sponsors struggle to comply with HIPAA and an even greater number were not prepared to face an audit from the Office for Civil Rights.

Meanwhile, a recent report showed just 44 percent of healthcare provider organizations comply with NIST Cybersecurity Framework standards, a key element to ensuring a secure healthcare environment, which can help support HIPAA compliance. 

Given the resurgence in ransomware and sophisticated cyberattacks and routine – and oft-expensive OCR settlements for HIPAA noncompliance, it’s crucial providers understand just how to respond to a breach while adhering to crucial HIPAA rules. 

Incident, Violation, or Breach?

When suspicious activity is detected on a network or when patient files are stolen, covered entities and business associates are required to first determine whether a breach of protected health information has occurred.  

According to AHIMA, an incident is defined as an event reported to the privacy or security officer that would result in an investigation to determine the likelihood that there was an impermissible use or disclosure of PHI. 

An investigation into the incident will determine whether there was a violation or breach, and thus, subsequent actions, such as sanctions to resolve issues or to meet compliance if a breach did indeed occur.

Wherein, a violation is explained as an infraction of HIPAA, whether unsecured PHI was "acquired, used, or disclosed in a manner not permitted by the rule.” 

Providers must assume the violation is a breach, unless one of three exceptions apply to the situation: “the information can be rendered as unusable, unreadable, or indecipherable—or a completed risk assessment demonstrates low probability that the PHI has been compromised. PHI that cannot be rendered as unusable, unreadable, or indecipherable to unauthorized persons through either encryption or destruction is considered to be unsecured.” 

The Department of Health and Human Services previously provided four factors to assist providers in reviewing the situation to conclude if a breach has indeed occurred. Importantly, the onus of determining whether PHI has been breached is solely on the provider and can be determined after a proper risk assessment. OCR provided an update for its risk assessment tool in September

Providers should first determine the nature and extent of PHI involved in the incident, including the types of identifiers and the likelihood of reidentification, followed by just who the unauthorized individual was who accessed or used the PHI and whether the unauthorized person actually received or viewed the data. 

Further, the organization must determine the extent to which the PHI risk was mitigated. 

“Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised, according to HHS

“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information,” the HHS site adds. “An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” 

60-Day Notification Timeline

One of the most frequently overlooked HIPAA elements is the 60-day notification timeline. Just this month, the University of Missouri Health Care and Oaklawn Hospital in Michigan reported breaches from 2019 and Spring 2020 far beyond the HIPAA-required 60 days

Given that failure to adhere to this HIPAA element can result in a massive civil monetary penalty from OCR or even a lawsuit, providers must understand how to properly report a breach within the tight timeframe – while being transparent about the incident with the affected patients. 

HIPAA explains that a breach is determined discovered by an entity on the first day that a breach is known, or would have been known by the covered entity by exercising reasonable due diligence, or the business care and prudence expected to satisfy the legal requirement under similar circumstances. 

And the rule specifies that the notifications must occur within 60 days of discovery – not at the conclusion of an investigation. 

“These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable),” according to HHS

Arguments have been made that perhaps within that timeframe it’s unclear just what data had been breached and for how long, or other unknown elements as the investigation is ongoing. However, transparency and clarity are crucial elements to remaining compliant – and to ensure patients feel the provider has done their due diligence when reporting an event. 

A prime example of the right way to report a breach when an investigation is ongoing and the 60-day timer is running out can be seen in the security incident at Oregon Department of Human Services in 2019. 

In March of that year, the provider reported that nine employees fell victim to a targeted phishing campaign, which affected the data of 350,000 patients. Once officials determined the accounts were breached, they hired an outside security team to verify just what data was exposed during the attack. 

Finding more than 2 million compromised emails in the impacted accounts, Oregon’s DHS released a preemptive notification to all patients about the event, informing them of the potential impact and that a finalized report would be provided once the investigation had been completed. 

By June 2019, the provider found the total number of patients affected by the phishing attack nearly doubled from the initial estimates. However, the early notification allowed those patients to take action and monitor their accounts for suspicious activity. Further, the subsequent notification provided transparent details on just what occurred, both with the breach and investigation steps.  

Burden of Proof

Once a breach is reported to OCR, some incidents are followed by an audit. Thus, it’s crucial that covered entities and their business associates have the documentation proving they were compliant before the event, detail steps of their risk assessment and investigation, and have followed HIPAA guidelines in their response. 

Compliance is determined by first whether the entity implemented key elements to their privacy and security program, including having a designated security officer, performing a security risk analysis, implementing a risk management plan, ensuring all business associate agreements are in place, and facilitating routine HIPAA training. 

The burden of proof also extends to required notifications "have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.” 

“Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required,” according to HHS

“[First[, its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure, or  the application of any other exceptions to the definition of ‘breach,’” the site adds. 

Under HIPAA, entities must also adhere to certain administrative requirements for breach notifications, including written policies and procedures for breach notifications, employee training on these policies and procedures, and the development and application of appropriate sanctions for workforce memebrs who do not comply. 

It’s also important to note that in August 2017, OCR moved the burden of proof to the covered entity when it comes to ransomware attacks. Ransomware is considered a breach in all circumstances, unless a provider can prove that a PHI breach did not occur.

Next Steps

Dig Deeper on HIPAA compliance and regulation