Health Breach Notification: New InsightsHelp for Assessing Breaches Under HIPAA Omnibus
A new breach notification guide from the Workgroup for Electronic Data Interchange offers some basic tips for healthcare organizations that are assessing incidents under the HIPAA Omnibus breach notification rule. But it's important for organizations to also address other factors for effective breach assessment and response, two experts say.
The new guidance issued by WEDI, a not-for-profit coalition of healthcare industry stakeholders, provides an overview of the steps organizations should take in determining whether a data incident is a reportable breach under the HIPAA Omnibus breach notification rule that went into effect last year.
The guide offers "a decision process [that] can be used to guide efforts in establishing probability and requirements for notification," spelling out several concepts and requirements for breach notification under HIPAA Omnibus. Those include the presumption that upon discovery of an incident, a breach has occurred, and "it is up to the covered entity or business associate to demonstrate a low probability that protected health information has been compromised," the guide notes.
The guide also reminds organizations that a four-factor assessment must be used to establish the probability that protected health information has been compromised and notification is merited. Those factors include: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the PHI was disclosed; whether the PHI was actually viewed or accessed; and the extent to which the risk to the PHI has been mitigated.
The WEDI guide also provides steps that entities should take when consulting their legal counsel and/or risk management team to confirm the probability the PHI has been compromised and if such probability requires notification. The document also notes that remediation must be considered even for a "low probability" breach determination, "as any breach discovery is also a HIPAA security incident that requires response and reporting."
WEDI released the guide "for entities to start understanding the issues around the final breach rule that was issued as a part of Omnibus," says Mark Cone, national co-chair for WEDI's privacy and security workgroup and principal of consulting firm N-Tegrity Solutions Group.
"There is still a lot of confusion in the industry in terms of replacing the 'harm' standard' [for breach assessment] that was part of the HITECH Act interim final rule with the [new] risk assessment in the final [Omnibus] standard," he explains. "We wanted to provide the industry with context behind the rule and hopefully a little more clarity in terms of making sure their data was being protected so they would not find themselves in a breach scenario," Cone says in a statement to Information Security Media Group.
Security expert Kate Borten, principal of consulting firm The Marblehead Group, agrees the WEDI guide can be a good starting point for some organizations to navigate breach assessment process.
"If it helps organizations that are intimidated by the rule, that's great," she says. "It applies to every covered entity and business associate, although we hope that larger and more risk-averse organizations already have something like this in their privacy and security incident response plan."
Beyond the advice in the WEDI document, Borten advises organizations to keep other factors in mind assessing breaches.
"It's important for each organization to identify what breach laws [including state regulations] it is subject to, and add breach determination and notification details to their incident response plan," Borten notes. "The biggest mistake has been organizations overlooking and underreporting violations and breaches."
Privacy and security specialist Rebecca Herold, a partner at the Compliance Helper and CEO of The Privacy Professor, says that business associates, which are directly liable for HIPAA compliance under HIPAA Omnibus, as well as smaller healthcare providers, would likely find the WEDI guide most helpful.
"The majority of BAs are just now starting to address HIPAA and HITECH compliance in a meaningful way," she says. Additionally, small and mid-sized healthcare providers often do not have staff assigned or trained to handle breach assessment and notification issues, she notes.
Additional Steps to Take
Among the many steps that are not addressed by the WEDI document, Herold says, are determining whether PHI is secure, considering remedial steps and testing breach response plans to make sure they work, Herold says.
"Just last week, I was helping [a law firm client] with their breach policies and procedures," she notes. "I had recommended that they include in their procedures a section on how to test the breach response plans. They told me that the documentation is enough; that, as lawyers, they determined testing the plan was not necessary for compliance.
"I explained that a documented plan that does not work when it is actually put into action will be almost as bad as, or in some ways worse than, having no documented plan at all, and could actually create some additional problems."
Among other breach assessment and response related mistakes Herold says she often sees:
- Not including all the key stakeholders necessary for breach response, including the public relations team and physical security safety personnel;
- Making the wrong conclusions about whether PHI was involved;
- Not knowing where PHI is located, so that it cannot be determined with an acceptable amount of certainty whether a compromise has actually occurred;
- Lack of targeted and in-depth training for those on the breach response team;
- Copying another organization's breach response plan and using it verbatim for their own.
"Each organization is unique, so each plan must be customized to fit that unique environment," Herold says. "Starting with a template is OK, but each organization has to actually put in some effort to make it their own."