How to navigate the investigative and reporting process of a HIPAA breach
Lani M. Dornfeld, Esq.
A Health Insurance Portability and Accountability Act breach or alleged breach affecting your senior living facility can result in catastrophic consequences.
Costly investigative, analysis, reporting and mitigating actions are just some of the ramifications you'll face. Others include expensive fines and penalties, loss of residents, loss of personnel involved in the breach and harm to your reputation.
Navigating your way through the investigation and aftermath without stepping on land mines requires a careful and organized approach.
Although HIPAA contains requirements for breaches by business associates of covered entities, the focus of this article is the breach notification rule requirements for covered entities. Not all senior living communities are “covered entities” under HIPAA. Even if a senior living facility is not a HIPAA-covered entity, however, it may nonetheless be subject to other federal and state privacy laws. Further, even for covered entities, other federal and state laws may apply to a privacy or security breach or may contain more stringent privacy protections than HIPAA. Senior living operators should consult with legal counsel regarding applicable privacy and security laws governing their operations.
HIPAA-covered entities include health plans, healthcare clearinghouses and healthcare providers that engage in certain electronic transactions covered by HIPAA, including electronic billing. Covered entities and their business associates (primarily vendors and contractors of covered entities that provide a service to the covered entity involving the use of individually identifiable health information, known as protected health information [PHI], under HIPAA) must comply with the applicable requirements of the HIPAA Privacy Rule and Security Rule, including the breach notification requirements established under the Health Information Technology for Economic and Clinical Health, or HITECH, Act.
Although the media tend to focus on massive technology breaches affecting hundreds or thousands of individuals, the most prevalent breaches involve only one or several affected individuals and most commonly are the result of lack of proper training and re-training, inadvertence, human error and curiosity. Even these smaller breaches, however, require a tremendous amount of resources to manage.
Some examples include detailed discussions of health information where others can overhear, purportedly “anonymous” discussions about residents or work incidents on social media, curious staff members viewing medical record information outside of job duties without proper authorization, improperly addressed envelopes containing medical information, misdirected faxes and emails, and loss of medical records or portions of medical records taken off-site.
A successful response to a breach includes several components.
Quick action. Swift action is essential to reducing your organization's exposure. A breach is deemed “discovered” by the covered entity as of the first day on which the breach is known to the organization, or, if exercising reasonable diligence would have been known to the organization.
Assemble an investigative and response team as soon as possible. For small covered entities, this may be the HIPAA privacy officer and/or HIPAA security officer, in conjunction with legal counsel when needed. For larger covered entities, the team may include these individuals as well as a HIPAA compliance committee or similar oversight body, in conjunction with legal counsel.
Typically, I ask the privacy officer to take the lead and act as the main point of contact. You also may wish to involve the board of trustees or board of directors, depending on the hierarchical structure of your organization.
Outside forensic information technology experts may be necessary if the breach involves large-scale electronic health information — for example, a breach in a firewall or loss of a handheld device containing large amounts of patient information. For perceived large-scale breaches, the response team also may include in-house or outside public relations professionals.
Investigation. The breach investigation is the cornerstone of all actions to follow and, as such, requires a careful, planned approach and execution. Because potential breaches can range from a simple wrongly addressed envelope containing medical information to broad-scale security incidents, investigative steps will flow naturally from the breadth of the potential breach.
If cloaking the investigation in the attorney-client privilege will be to your strategic advantage, then you will need to be counseled about how to manage the flow of information to maintain the privilege.
Many breach allegations, complaints or discoveries are related to matters such as wrongly addressed mail, disclosing PHI without proper written authorization or improper oral or written disclosures, such as employees who tell their friends about an incident with a resident, either in friendly conversations, in email or on social media. Typically, these allegations require, at a minimum, a series of interviews to assess whether information was improperly disclosed and the extent of any disclosure.
I counsel my clients to have the privacy officer conduct the interviews individually, in a private area, and with a second individual present to assist in gathering facts and assessing the veracity of the interviewee. Focus questions on the who, what, when, where and why of the incident(s) or allegation(s) and also tailor them to gather information necessary to perform the required HIPAA risk assessment, as further detailed below. In addition to interviews, it may be necessary to obtain copies of emails, copies of mail, information contained in the covered entity's information systems and copies of social media posts and other external items.
Electronic breaches may require the assistance of forensic information technology (IT) experts. Thus, in addition to gathering the foregoing information, the focus will be on whether and how the covered entity will able to trace and determine the scope of the breach and the individuals whose information was or may have been improperly disclosed.
As early in the investigative process as possible, take mitigating actions to contain the breach or prevent additional or future similar breaches. Doing so will assist in both the risk assessment and in reducing liability exposure.
For example, if the initial investigation results reveal that the disclosure occurred due to inaccurate information contained in the organization's electronic medical record or billing systems, then take action to correct the information in all system locations. If it is believed that the disclosure occurred due to an electronic system weakness, then IT experts should take remedial steps to reinstitute or enhance protective mechanisms.
Risk assessment. Once the investigation is complete, you (and your attorney, if you have sought legal assistance) will use the information gathered, as well as any mitigating measures that were instituted thus far, to perform the risk assessment required under HIPAA. Any “acquisition, access, use or disclosure of [PHI] in a manner not permitted under subpart E [of the privacy rule] is presumed to be a breach” unless a risk assessment determines that the covered entity “demonstrates that there is a low probability that the [PHI] has been compromised.”
This determination is made by analyzing at least the following four factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. To assess this factor, consider the types of PHI involved, such as whether the impermissible use or disclosure involved information that is of a more sensitive nature. For example, with respect to financial information, this includes credit card numbers, Social Security numbers or other information that increases the risk of identity theft or financial fraud. Sensitive health information might include an HIV diagnosis.
- The unauthorized person who used the PHI or to whom the disclosure was made. To assess this factor, consider whether the unauthorized person who received the information has a legal or other obligation to protect the privacy and security of the information.
- Whether the PHI actually was acquired or viewed. This factor requires analysis of whether the information was actually acquired or viewed versus whether there existed only the opportunity to do so. For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the PHI was never accessed, viewed, acquired, transferred or otherwise compromised, then you may conclude that the information was not acquired or viewed, even though the opportunity may have existed. On the other hand, if the organization mailed resident information to the wrong address and the recipient called to advise of the error, then, in this case, the unauthorized individual acquired and viewed the information.
- The extent to which the risk to the PHI has been mitigated. Attempt to mitigate the risks to the PHI following any impermissible use or disclosure, such as by obtaining satisfactory assurances that the information will not be further disclosed (through a confidentiality agreement or similar means) or will be destroyed, and consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised.
After analyzing all factors against the information received in the investigation, legal counsel should assist the organization in determining whether PHI has been compromised. If, after analyzing the information, the organization determines that a low risk exists that PHI has been compromised, then no notification is required to be made. If, however, the organization cannot determine that the risk is low, then notification to affected individuals must be made.
Notification. Notify affected individuals “without unreasonable delay” but in no case later than 60 calendar days after “discovery” of the breach. Exception is made if a law enforcement official informs the organization that notification would impede a criminal investigation or damage national security.
In addition to other notice obligations, the notice must be in plain language; describe the types of PHI involved in the breach; provide steps the individual should take to protect himself/herself from potential harm resulting from the breach; include a brief description of what the organization is doing to investigate the breach, mitigate the harm and protect against further breaches; and include contact information to ask questions or obtain additional information.
You also must notify the media if the breach involves more than 500 residents of a state or jurisdiction, and the secretary of the Department of Health & Human Services must be notified in the event of a breach involving 500 or more individuals. Note that many states, including Florida, for example (Florida Information Protection Act), have breach notification statutes that also must be consulted.
Follow-up actions and other considerations
The breach investigation and notification actions typically are not the end of the matter. Seek advice from legal counsel regarding necessary staff discipline or sanction, education or re-education; review and potential update of HIPAA policies and procedures; changes to operational processes; and actions that may need to be taken to protect against reputational harm.
In some instances, referral of the matter to criminal authorities may be warranted — for example, in extreme cases of deliberate and malicious breaches and disclosures. In other instances, the organization may determine that an in-person apology is warranted, in addition to the mandatory disclosure letter.
In my experience, if a complaint is made to the HHS Office for Civil Rights (the HIPAA oversight authority), then the OCR will require production of this type of information and will consider it when making its determination. Document all actions taken by the organization and maintain the documentation in the official files of the organization's HIPAA privacy officer.
Prepare for Phase 2 audits. The OCR announced March 21 the launch of its next phase, “Phase 2,” of audits of HIPAA-covered entities and their business associates. According to the OCR, “[a]udits are an important compliance tool for OCR that supplements OCR's other enforcement tools, such as complaint investigations and compliance reviews.”
The audits will include determinations of compliance with the breach notification rule. Every covered entity and business associate is eligible for an audit. The OCR will look at a broad spectrum of audit candidates and perform desk audits of information requested by and sent to the OCR, on-site reviews or a combination of both. The OCR has stated that if an audit indicates a serious compliance issue, then it may initiate a compliance review to further investigate. Such reviews potentially could result in fines, penalties, demands for corrective action and, in extreme cases, resolution agreements.
As such, it is more important than ever to review your organization's existing HIPAA compliance program and update it as necessary, ensure that your organization has performed and performs periodically a risk analysis as required under the security rule, make certain that your organization has in place the proper privacy and security officials (privacy officer and security officer), ensure that your organization has inventoried its business associates and put into place updated business associate agreements, and make sure that your organization provides periodic (best practice: annual) HIPAA educational training. When it comes to HIPAA, prevention is the best medicine.
Lani M. Dornfeld, Esq., is a member in the law firm of Brach Eichler LLC, with offices in Palm Beach, FL, Roseland, NJ, and New York City. She practices in the firm's health law practice group, representing a broad array of healthcare providers in transactional and regulatory matters including corporate compliance and HIPAA compliance.