Most people in the industry believe HIPAA requires notification of a breach to the federal government and affected individuals within 60 days of discovery (unless preempted by state requirements). However, HIPAA’s breach notification timeline is actually “without unreasonable delay,” but not longer than 60 days after the breach was discovered.
Therefore, 60 days is the absolute maximum amount of time permitted, but a shorter timeframe might be reasonable, and thus, ‘required.’
This can be a challenging requirement to comply with, as what is really required is highly fact specific. There is little – if any – formal guidance to assist in determining what type of delay might be reasonable and what might be unreasonable. The best tactic is to not focus on the 60 day aspect, but to do a swift and efficient incident investigation and breach determination. To do so within the 60 day window, and to notify the respective regulators and affected individuals within that timeframe, would eliminate any question whether the notification was reasonable or not. The worst case would be to have been able to effectuate notice sooner, but instead notice was delayed until closer to the 60 day ceiling. That would seemingly be an unreasonable delay, and could result in increased penalties.
Breach notification is never a pleasant situation, especially not for those potentially affected. HIPAA is drafted to provide timely notification to those affected, while still allowing flexibility to conduct a thorough and proper investigation. While HIPAA may allow up to 60 days for notification, a shorter timeframe is often reasonable most appropriate.
On Friday, attorneys announced a $115 million settlement to customers affected by the 2015 Anthem data breach. It is believed to be the largest settlement related to a data breach in history. Approximately 79 million people were affected by the breach. The settlement funds will be used to provide two additional years of credit monitoring to affected individuals or cash for those already enrolled in monitoring. This is in addition to the initial two years of credit monitoring previously.
The February 2015 breach was caused by an unknown hacker who accessed a database with personal information. There has been no evidence that the information was released on the cybercrime underground, which leads some to theorize that it was the work of a state-sponsored hacker.
This settlement is in additional to the $260 million of security improvement, remediation and clean-up which followed the breach bringing the total costs associated with this breach to $375 million.
Just today another HIPAA breach settlement was announced. This one is a $2.5 million fine imposed on CardioNet stemming from the theft of a laptop containing PHI. The investigation from the HHS Office For Civil Rights discovered that CardioNet “failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015.” It turns out that CardioNet’s policies were in draft form and had not been implemented. In fact, the organization had no HIPAA related final policies or procedures.
HIPAA policies and procedures are an essential aspect of keeping patient information secure and private. They are the best method to ensure consistent implementation of safeguards over time and can help you ensure things go smoothing during times of personnel transition or crisis. They serve as the validation of the implementation of your privacy and security safeguards. As we saw in last year’s round of HIPAA audits, regulators ask for the documentation of your safeguards rather than coming on-site to see the safeguards in action. Policies and procedures are also required by HIPAA.
Implementing policies and procedures can be a time consuming process. Here is a step-by-step approach to help guide your efforts,
- Identify the policy owner and delegate the design and implementation to that person;
- Understand what is required and what safeguards are currently in place; For instances in which the requirements are addressable rather than required (i.e. encryption), determine what – if any – safeguard will be implemented;
- For instances in which the requirements are addressable rather than required (i.e. encryption), determine what – if any – safeguard will be implemented;
- Draft the policy. Templates can be helpful, but they still must be customized for your organization;
- Draft the procedure that will be used to implement the policy. Include necessary supporting documentation such as logs or forms;
- Distribute the draft policy and procedure to internal stakeholders;
- Approval of the policy and procedure by appropriate body (i.e. executive management, Board of Directors, etc);Schedule the time the policy and procedure are effective and calendar a time for review (i.e. 6, 9, or 12 months);
- Schedule the time the policy and procedure are effective and calendar a time for review (i.e. 6, 9, or 12 months);
- Circulate the final policy and procedure to appropriate staff; andTrain or re-train staff as necessary.
- Train or re-train staff as necessary.
Implementing policies and procedures is critical but does not have to be overwhelming. Having a consistent process for policy and procedure development, as well as a schedule for reviewing and updating documentation, will help increase the effectiveness of your safeguards and keep patient information secure and private.
Last week the U.S. Department of Health and Human Service Office for Civil Rights (“OCR”) announced a $400,000 HIPAA settlement with Metro Community Provider Network (“MCPN”), a Federally Qualified Health Center (“FQHC”) in Colorado. The settlement is the result of a 2011 breach in which a hacker used a phishing campaign to access employees’ email accounts and obtained PHI of 3,200 individuals. Here are a few things you can learn from this situation and prevent the same from happening to your organization.
Conduct a Risk Analysis: It is a common theme throughout breach settlements, but it is worth repeating; conducting a security risk analysis is a fundamental part of preventing a breach. MCPN did not conduct a risk analysis until after it discovered the phishing incident. A risk analysis should be conducted and reviewed to ensure it is still accurate. It should also be thorough enough to identify all of the risks within the organization, and should be organization wide. A risk analysis should include an analysis of all devices which store, process, access, or transmit PHI as well as all locations (offices, cabinets, off-site storage, the cloud, etc) with PHI. The output of the risk analysis should be a comprehensive risk management plan which outlines remediation activities and how risks will be identified and evaluated in the future. While a risk analysis is a point in time assessment, the risk management plan must outline how the organization will consistently manage and mitigate risk into the future.
Implement and Update Policies and Procedures: OCR’s investigation indicated that MCPN had inadequate policies and procedures. This led to either a complete lack of PHI protection, or the inconsistent implementation of safeguards. Having policies and procedures that are implemented and consistently updated lends to consistent implementation of the safeguards themselves. Without the policies and procedures, it is difficult to effectively protect PHI.
Train Your Staff: MCPN did a poor job of training its employees. Better training may have prevented that one employee from clicking on the phishing e-mail. Training is an essential component of protecting PHI. In your organization you should train all of your employees at hire, and at least once each year. You might also consider sending a simulated phishing campaign to your staff. This could be a critical opportunity to educate staff on what to look for in a phishing email and potentially prevent one in your own organization.
While this most recent breach settlement is similar to other recent settlements, it emphasizes the notion that conducting a risk analysis, having policies and procedures, and training employees are the fundamental building blocks of protecting PHI.
Does Your Org Need Cyber Insurance?
Are You Prepared to Prevent a Healthcare Data Breach?
Timely Healthcare Data Breach Notification
No one likes to think about it, but malicious attacks by an insider and other insider threats are the cause of a significant number of healthcare data breaches. They can be from a disgruntled employee, a recently terminated member of the staff, or even someone who is being bribed to provide patient information. While they may be some of the hardest attacks to guard against, they are preventable. Here are a few steps to keep in mind,
Screen New Hires: One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place. You may consider completing a background check on all new hires and even periodic checks on current staff members. While not an exact science, it may help to identify potential bad actors before they cause any damage;
Terminate Employees Immediately: Often when employees leave any organization there can be hard feelings which potentially leads to irrational decisions. To help guard against this, you should terminate all access to PHI immediately upon the employee leaving the organization. Any delay in terminating access can leave you susceptible to the whims of a disgruntled former employee;
Perform Regular Access Audits: Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and
Train Staff on Sanctions: Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.
Admittedly, guarding against insider threats is a challenge, but it is possible. If you implement reasonable protections then you can prevent or stop nefarious actions by your staff.
Last week the Department of Health and Human Services Office for Civil Rights (“OCR”) announced another large HIPAA fine. This instance is a $5.5 million fine with Memorial Healthcare System (“MHS”). Unfortunately, some of the issues that led to the breach, and thus the settlement, were highly preventable, and therefore are worth pointing out. The primary issues included,
Failing to implement its own policies and procedures for modifying/terminating access to PHI;
Failing to review records of PHI accessed by staff; and
Failing to act on risks identified during a security risk assessment.
Specifically, for over a year MHS failed to close the account of a terminated employee. That account was used to access PHI affecting more than 80,000 individuals.
This highlights the need for several things. First, you must have a specific process in place to terminate accounts when employees leave. This typically requires HR and IT to work closely together. If you don’t have a smooth process, consider working closely with both departments to establish a consistent procedure.
Second, you should periodically review who is accessing PHI. If MHS had done this they would likely have noticed that an account of a terminated employee was not only still active, but was being utilized to access PHI. As we have discussed in the past, the reviews can be a high frequency sample that is conducted on a consistent schedule, rather than an exhaustive review of all accounts and access levels.
Additionally, MHS identified many of these items as causing potential risk to the organization through several Security Risk Assessments. However, it failed to do anything to remediate the issues. Much significance has been placed on conducting a risk assessment, but little has been done to highlight the need that identified risks need to be corrected. One output of your risk assessment should be a prioritized list of items that need remediation. You should be establishing milestones along the way to correct these issues and tracking your progress.
Finally, MHS failed to implement the policies and procedures it had in place on many of these issues. Having policies and procedures that outline your safeguards is important, but following your documentation is absolutely critical. HIPAAcompliance is as much about compliance with your own policies and procedures as it is doing what the rule requires. This is one reason why it is important to frequently review your policies and procedures to ensure you are doing what those documents outline.
In summary, this large breach fine highlightsthe fact that protecting patient information is not about high tech solutions, but rather about doing the little things. Not doing some basic tasks compounds the issues and exacerbates the damage.