When do you notify after a HIPAA breach?
With the recent release of the HITECH rule's language on breach notification, risk managers can be left wondering when they have to notify after a breach of protected health information (PHI) in violation of the Health Insurance Portability and Accountability Act (HIPAA). Sometimes you should call the local newspaper and inform the Department of Health and Human Services (HHS), and sometimes you can just keep quiet.
So how do you know which path to follow? A close reading of the rule helps. The notification requirements for breaches and the potential penalties for noncompliance with HIPAA privacy rules were expanded under last year's HITECH Act. For HIPAA covered entities, a breach is defined as an event that "compromises the security or privacy of the protected health information," and defined further as posing "a significant risk of financial, reputational, or other harm to the individual."
That is not entirely clear, and the decision can be important. If you don't notify when you should, HHS will come after you. But if you notify when you really don't have to, you can create unnecessary stress for your patients and their families, and you could damage your hospital's reputation, all for nothing.
The changes to the breach notification rule give risk managers more flexibility but also create ambiguity. The HITECH rule finalized language that shows when notification is required after a breach of protected health information (PHI). Notice is required only if both of these conditions are met:
• There has been access to, or acquisition, use, or disclosure of PHI in violation of HIPAA.
• The violation poses a "significant risk of financial, reputational, or other harm" to the people whose PHI is involved.
• HHS states in the HITECH rule that a covered entity "will need to perform a risk assessment" to determine whether the second condition has been met but does not provide more guidance on how to make that decision.
HHS does make clear that you should be ready to justify your decision: "Covered entities and business associates must document their risk assessments so they can demonstrate, if necessary, that no breach notification was required."
(See the HITECH breach notification rule here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html. See the HHS page on breach notification here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.)
The exact content of the information and the manner in which it was lost will determine whether you need to notify, says Andrew Blustein, JD, an attorney with the law firm of Garfunkel Wild in New York City. Not every breach will require a notification.
"If the information says Patient 123 has a diagnosis of X, that is a HIPAA violation, because there is a patient identifier. But if someone finds that laptop and sees that information about Patient 123, with no name, you have to wonder if you've crossed that threshold," he says. "People seem to rush past what was actually disclosed and just panic over the fact that there has been a HIPAA breach."
In most cases, however, the breach will involve information that more clearly identifies the patient, Blustein says. And when the situation is not so clear, the burden is on the provider to show that the information posed no risk and required no notification.
"That's the risky part. When in doubt, you may have to go through the HITECH notification," he says. "If HHS comes in and looks at it, and if reasonable minds would differ, you're going to have to prove that your way was the reasonable way."
Blustein says the federal government's stance so far has been that if you have a name connected with a treatment, that is enough to trigger notification. That is not an official stance, he notes, but he says that has been the position of the investigators he has dealt with.
"Unfortunately, if you are in doubt, the best play is to play it safe and notify," he says. "Having the government come in and fine you, and tell you to notify patients now, is a very bad place to be. Then the institution can be seen in the light of not telling patients when things go bad, almost a coverup, and that's not what you want to be involved in."
Blustein says there is a move afoot to just require notification for all breaches, removing all ambiguity, but he says that would greatly increase the burden on health care providers. He recommends encryption as a way to avoid the problem altogether, because encrypted information never triggers the notification rule.
It is critical to understand exactly what information was compromised and how, says Brian Lapidus, chief operating officer with Kroll Fraud Solutions in Nashville, TN. He recently worked with a health care client who lost 2.2 million health care records, but he was able to prove that while the data was lost, there was no way the data could be accessed.
"The organization had no risk of harm and did not have to notify, because we could prove that the data was not accessible," he says. "Simply losing data is not the same as the data being compromised and accessible. A big question involves the intent and the circumstances of the lost [data], whether it was stolen by an angry employee or just lost somewhere. The forensic work can reveal a great deal about whether it is truly accessible to the public."
• Andrew Blustein, JD, Garfunkel Wild, New York City. Telephone: (516) 393-2218. E-mail: [email protected]
• Brian Lapidus, Chief Operating Officer, Kroll Fraud Solutions, Nashville, TN. Telephone: (615) 320-9800. E-mail: [email protected]
SOURCE-Healthcare Risk Management