Breach Response: Business Associate TipsSteps to Take When Notifying Covered Entities About an Incident
As a result of the HIPAA Omnibus Rule's new breach notification guidelines that went into effect last year, business associates need to take certain steps when notifying covered entities of incidents, says security expert Brian Evans.
"Business associates should notify the covered entity as soon as they discover a breach has occurred, but no later than 60 days from the discovery of the breach," says Evans, a principal security and privacy consultant at Tom Walsh Consulting, in an interview with Information Security Media Group (transcript below).
Evans says business associates need to identify each individual who may have been affected by the breach and gather other information that describes the incident. "But if I'm a covered entity, then I want to have formally established breach notification and response procedures with my business associates, and I'm not sure I want to wait 60 days for them to notify me," he says.
In the interview with Information Security Media Group, Evans also discusses:
- Other mistakes organizations should avoid making in their breach investigations and responses;
- How businesses take inadequate steps to prepare for incidents;
- The grade he gives healthcare organizations and business associates in their overall state of information security.
Before joining Tom Walsh Consulting, Evans served as information security officer at The Ohio State University Health System, Atlantic Health, Fletcher Allen Healthcare, New York Hospital Queens and University of Alabama Birmingham Health System. He also led the incident response and computer forensic investigations teams for Nationwide Insurance and was vice president of IT risk management at KeyBank and JPMorgan Chase. Evans started his career as a medic in the U.S. Air Force.
Preparing for a Breach
MARIANNE KOLBASUK MCGEE: Before a healthcare entity even gets to the point of suspecting they've had a HIPAA breach, how should they prepare?
BRIAN EVANS: Well there are several steps that organizations should take to prepare for a breach, and one of those is to formally designate and train an incident response team. What I continue to find is organizations have more of an information team that has not been formally designated, or they haven't been trained. Those are key components to establish those kinds of teams. The other area is at least documenting procedures that will help provide insight for the response team to respond to the incident. I continually see organizations lacking that level of detail with their documentation. That should also include working with your external organizations as well, because obviously we've got business associates that can encounter incidences and breaches, so those kinds of formal procedures need to be established.
Lastly, I'd say that organizations need to do a better job in tracking this incident information. I often times come across an organization that tracks the information, but the privacy officer tracks it, the security officer, the compliance officer, and next thing you know when you ask the question, "How many data breaches did your organization have last year?" There is "36," or "24," or "39." You need to be a little more in sync with what you're doing in tracking this information.
Small Entity Breaches
MCGEE: What should a small entity do if they suspect they've had a data breach?
EVANS: In this situation I would suggest getting assistance from an outside security vendor. That would be the most effective approach to take, simply because they don't have that wherewithal internally. But this is why preparation is so important. You don't want to wait until something bad happens to start figuring this out, and so smaller organizations should decide whether or not they're going to build this intelligence and expertise in-house or look to outsource it.
Reportable HIPAA Breaches
MCGEE: What are the key steps the organization should take under HIPAA Omnibus to assess whether there has been a reportable HIPAA breach?
EVANS: Omnibus provides at least four factors that organizations need to minimally consider. So the first one is, what's the nature and extent of the PHI involved? There are 18 identifiers of PHI, such as name and Social Security number, obviously. What specific data elements were potentially affected by this incident? That is the question you need to ask. So using your stolen laptop as an example, making this determination might be difficult because the device isn't available obviously, but it's not impossible. There are ways to at least investigate that and try to figure it out a little more effectively.
MCGEE: Whom should a healthcare entity notify first and what should they do next?
EVANS: It depends on the type of breach and a number of other factors. According to the HITECH Act, if a breach affects 500 or more individuals, then you'll need to notify Health and Human Services no later than 60 days following the discovery of the breach. However, if a breach affects fewer than five hundred individuals, then you'll need to notify HHS no later than 60 days after the end of the calendar year in which the breach occurred. But that is just on the federal level.
There are currently 47 states that have legislation requiring notification if a breach involves personal information, but these requirements vary by state. Look at Ohio and Florida for example, they require notification no later than 45 days following a discovery of a breach, while let's say Idaho and Rhode Island's law say, and I quote, "The most expedient time possible and without unreasonable delay."
After notification, the federal and state requirements are fairly clear on the steps that organizations need to take, which of course depends on the circumstances. But once again, preparation is key to understanding and making these types of next step determinations. But one step is consistent regardless of all these variables, and that is ensuring all investigative steps taking, all evidence collected, and all supporting activities have been fully documented.
Notifying Covered Entities
MCGEE: How does breach response change if it's a business associate that's had an incident?
EVANS: Business associates should notify the covered entity as soon as they discover a breach has occurred, but no later than 60 days from the discovery of the breach according to the HITECH Act. Now this notification should include the identification of each individual who may be affected by the breach, as well as any other supporting information. But if I'm a covered entity, then I want to have formally established breach notification and response procedures with my business associates, and I'm not sure I want to wait 60 days for them to notify me. So that is something that we need to figure out as an organization from a covered entity to make sure that those procedures are squared away, and that may require some re-negotiation and revising of the business associate agreements.
MCGEE: What are the biggest mistakes organizations should avoid making in their breach investigation and response?
EVANS: Some of the biggest mistakes I see organizations make is not training their staff. If you look at most healthcare organizations, they have what I would call "volunteer firefighter model" where folks have day jobs but then actually have to respond to particular incident if called to go to the task. But the challenge is that those folks often aren't trained and don't have a full understanding of the rules and responsibilities. That's really an easily correctible mistake if folks put forth the effort and work towards training and defining those rules.
The other area I often times see is not including all the stakeholders at the beginning of an incident. Often it may be on the IT side or on the legal side, and they start going down field and investigating this, and then a week, day or month later they end up having to pull somebody else in. If they had invited everybody to the party initially, then they would have been able to at least investigate that more effectively.
Rating Healthcare Entities
MCGEE: Overall, how would you rate the state of information security of healthcare entities and BAs? What are they doing right?
EVANS: On the covered entity side, I still encounter organizations that are, believe it or not with the HIPAA security rule being almost ten years in place, less than 20 percent compliant with those minimum security requirements. That is with organizations large and small. I think the challenge with a lot of organizations is the competing priorities, and the focus and attention they need to pay on the HIPAA security rule minimally. With the business associate side, I encounter something similar. Now they've had less time to focus on becoming complaint with the HIPAA security rule, so as a result I see even less maturity in some respects. I give the overall experience of organizations that I've worked with probably a C minus. We have a ways to go. I continue to see that, and I continue to see reports come out. There is a cybersecurity report that just came out from SANS Institute that pretty much indicates some of these blocking and tackling fundamentals in an information security program are continuing to be missed.