Breach Notification: Who's Involved?Attorney Offers Strategy for HIPAA Omnibus Compliance
Attorney Ellen Giblin describes who should be involved in determining whether a breach should be reported to comply with the new breach notification requirements of the HIPAA Omnibus.
"I would say that the chief privacy officer would be involved in the oversight for the whole incident process of reporting HIPAA incidents," says Giblin, privacy counsel for the Ashcroft Law Firm, based in Boston, in an interview with Information Security Media Group [transcript below].
But the organization's general counsel also should be involved, she notes. "Make sure they're in the loop of how incidents are being reported and how many incidents are being reported."
The chief compliance officer and chief information security officer also can play important roles in breach response, Giblin says.
The Department of Health and Human Services will begin enforcing HIPAA Omnibus Rule on Sept. 23. Non-compliance penalties for covered entities and their business associates can range up to $1.5 million per HIPAA violation. Under HIPAA Omnibus, business associates, as well as their subcontractors, are directly liable for HIPAA compliance.
In the interview, Giblin also discusses:
- Details on the four factors to be considered in breach assessments under HIPAA Omnibus;
- Why organizations should thoroughly test their breach response plans;
- Tips for dealing with breach investigations conducted by the Department of Health and Human Service's Office for Civil Rights.
As privacy counsel for the Ashcroft Law Firm, Giblin advises clients about how to prevent and respond to a breach of their systems. She has extensive experience on such issues as privacy, data breaches, data protection, cybersecurity and information management. Previously, she served as privacy counsel at Littler Mendelson, an international labor and employment firm. Earlier in her career, she was a senior risk manager at RBS Americas and a privacy officer for Citizens Financial Group.
MARIANNE MCGEE: What are the most critical steps that covered entities and business associates should be taking to make sure they're ready for breach notification requirements under the HIPAA Omnibus Rule?
ELLEN GIBLIN: For my clients and those who I speak to about this topic, what I always recommend is they start off with increased awareness and training. Under increased awareness, what I would recommend would be to roll out introduction to what the changes are under the new rule, and it's going to require each group within your organization to adapt to the changes.
For example, your policies and procedures should be reviewed, and you should update these policies and procedures to enable the team to detect and escalate [urgency of] potential breaches to the incident response team. Then you also want to recreate your risk assessment under the new rule, which is going to require the examination of four factors. And whether or not your organization has trained risk managers, you would probably either want to bring somebody in to review how a risk assessment's conducted for your team on these new four factors, of whether PHI's compromised and see if that's sufficient, or you may ultimately need to seek legal assistance in coming up with what the requirements are for conducting the risk assessment to determine the probability that PHI has been compromised.
You would continue the process of providing supporting documentation and letting everyone know what they would need to provide when an incident is reported. You're probably going to be revising the reporting template and collecting more information around the facts of exactly what happened. You'll be looking to see the types of identifiers and a likelihood of whether information could be re-identified. You'd have to introduce the concept, perhaps, to your organization of what the term 'identifier' means, like what are the elements of PHI that were compromised. You also have to take a look at who the person was that actually was exposed to the protected health information and who the disclosure was made to, because that's a new type of analysis on who was the unauthorized person. A lot of organizations don't have role-based access management and training already in place. It might not seem as though anyone who works in the company is unauthorized, but, in fact, it's true, especially in the business associate arena, that not everyone is authorized to see PHI.
I would also be looking at creating a risk assessment of whether the protected health information was actually acquired or viewed, and that takes a little bit of training around whether this something that was misdelivered. Paper is still a big issue in this area. Many of the breaches are due to a lot of stolen paper documents containing PHI. Whether protected health information was actually acquired and viewed, you'd probably want to go over some examples with your workforce of what that actually means so when they go to report an incident up to your central notification group, legal, compliance and information security, they have all the facts in there so that each incident doesn't have to be investigated.
Then, I think you also have to be able to introduce the concept of mitigation. What do we do to lower the risk to the protected health information from it being used inappropriately or seen inappropriately by someone? There are things that we do to head off an issue. We may implement a request that someone who viewed information sign an affidavit so that we can document, ... that the risk is much lower because ... somebody [confirmed that] they did not see more than one or two things, maybe just name and address. I would say that's a good strategy.
Once you update your policies and procedures, then I think that you'd want to go into incident response testing, and this is a great exercise. You can do an exercise around a table, or you can do an entire exercise with your organization where you run an actual incident and see how everyone responds, see whether they provide the appropriate documentation, see whether they conduct the right analysis, and see whether everything was documented correctly and saved correctly for the file.
For the last part, I think that you would really want to take a good, close look at whether your team that's working the incident feels comfortable with the actual risk assessment and whether they feel that they're able to rate the four factors, whether it's high, low, or medium risk. ... I think that if you do all of these things, then you're supporting and meeting your obligations to show that you have a program in place that's adequately catching, reporting and notifying incidents.
MCGEE: Who should be involved in breach assessments at covered entities and business associates?
GIBLIN: I would say that the chief privacy officer would be involved in the oversight for the whole incident process of reporting HIPAA incidents. However, I do think it's important to include your general counsel. Make sure that they're in the loop of how incidents are being reported and how many incidents are being reported. And you do have to also take a look at the chief compliance officer's role as well as the chief information security officer's role. And the important part about some of the incidents is that they may involve information security that's electronic, but they also may involve physical security, and they also may involve your contractors. ... Maybe [it's] the delivery folks that are delivering PHI, and then a lot of times that's where it gets lost and inadvertently disclosed.
Unfortunately, paper incidents are still a major driver in this area for data breaches and reportable events and notification being required. We think it's always going to be something more like a cyber hack or it could be something like a system access issue with an employee. But there's still a lot of very prevalent hardcopy breaches that are out there. HIPAA is very important, and these notification requirements are very important because only a few states are still requiring paper breaches to be reported.
Impact of New Notification Standard
MCGEE: Do you think the new breach notification standard of HIPAA Omnibus will result in more or fewer incidents having to be assessed and reported?
GIBLIN: I think that there's a lot more room under the risk assessment when it comes down to an individual weighing all the four factors. It's going to require training and awareness on the identifiers to see what information was compromised and whether that information, if it had been de-identified, can be re-identified. I think that there's some room there for improvement, and also I think there's going to be some education, awareness and training around the unauthorized person who used the protected health information or to whom the disclosure was made.
You're asking people to pretty much give a risk assessment of who was a trusted individual within an organization or maybe that visits an organization. I think that's important. Then, I think also that whether the information was actually acquired or viewed, I could see a lot of people hedging on whether that's actually [breached]. You're going to have to definitely document that assessment.
If you feel that you've got mitigation efforts that really locked up what happened and you're able to close things out with an affidavit that unsecured protected health information was not compromised, then I think that you would be also looking at such things as whether data was encrypted or not. If it's encrypted, you again would be conducting a further analysis on the guidance provided by the secretary of HHS. I would think that there are a lot of steps here that would allow during this risk assessment some of the incidents to be determined to not be notifiable events.
Tips for Business Associates
MCGEE: Do you have any particular tips about breach notification for business associates that weren't directly liable for HIPAA compliance in the past?
GIBLIN: Business associates ... definitely need to come up-to-date with what their responsibilities are under the law, and there will be a lot of training [needed]. However, in the past, they have been contractually obligated to report and provide notification to their covered entity. The expectation is that the business associates have been given a long time to get to the point where they can actually step up and participate in this process.
But what the business associates are going to have to do is to really look at their subcontractors and bring their systems and processes into compliance with HIPAA privacy and security requirements. The BAs themselves are going to have to go look to make sure that the contracts with the subcontractors reflect all the HIPAA requirements. Business associates definitely must specify compliance with the breach notification rule in their contracts now, and there's going to be a lot of liability issues. Business associates are going to be expected to be in compliance, and they're going to be investigated as well.
Breach Reporting, Prevention
MCGEE: What should organizations be telling their workforces about breach reporting and breach prevention right now?
GIBLIN: I think that it's pretty clear that the workforce will need to be trained. They'll need to be given further information on reporting and what's required, what they're to look for, because it's in the moment when someone sees something happening that they can take steps on the risk assessment. If they're really well-trained on the risk assessment, then they can start actively mitigating while an incident is occurring. This is a great opportunity to use a risk-based approach for minimizing and mitigating some incidents real-time. While these things are happening, we can get a better handle on closing them up and bringing the liability down for the covered entity. [It's] training, awareness and a full understanding of what the protocol is once a breach is occurring.
Dealing with Breach Investigations
MCGEE: Any advice for how organizations should prepare to deal with Department of Health and Human Services when breaches are reported and then investigated by HHS?
GIBLIN: My basic advice is to engage legal counsel at that point because you want the attorney-client privilege to be around all the communications regarding any investigation by HHS. It's also really important that a log of the incidents ... is really important for an attorney who works with your group to view. I think they should have a good understanding of what your picture is and what your compliance heat map is for breaches in your organization. The covered entity and business associate should have in place a legal counsel that they can call and ask, "Is this a breach?" Because so many times, again, while something is missing, if there's a recommendation of how it can be retrieved or some advice and guidance can be given by legal counsel on how to close the incident better, then the covered entity would only benefit from the attorney's advice and guidance and from the attorney-client privilege being around those communications.