When is an Incident a Breach?Privacy Attorney Explains Regulator's Mixed Messages
The Department of Health and Human Services' Office for Civil Rights has changed its standard for determining breaches under HIPAA Omnibus to a more objective assessment of four factors. But there is still murkiness about whether the previous harm standard is truly a thing of the past, says privacy attorney Adam Greene.
Under the HIPAA Omnibus Rule, an organization must look at whether information was compromised based on four factors: the type of information involved; where the information went; whether the information was actually accessed or viewed; and mitigation steps taken as a result of the incident.
"Since January when this rule was published, we've seen changes in how [OCR] is interpreting 'compromise,'" Greene says in an interview with HealthcareInfoSecurity (transcript below).
OCR has said that the four factors are a more objective approach than what the previous harm standard intended, but has subsequently suggested other meanings of a 'compromise', Greene says.
"We've heard more recent statements that suggest that compromise really is whether there's a significant risk of reputation," he says. "Alternatively, we've also heard that OCR states that 'compromise' is whether there are adverse effects to the individual, which is essentially the same."
Greene explains: "There seems to be some differing interpretations coming out of OCR itself, and we just are stuck with uncertainty."
He does suggest that organizations and covered entities can expect greater clarification in the months ahead.
In the interview, Greene also:
- Outlines the differences between "breach" and "compromise;"
- Provides a thorough explanation of the four factors that the HIPAA Omnibus final rule says must be considered when assessing whether an incident is a reportable breach;
- Discusses why a chosen breach assessment methodology needs to be balanced with common sense.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.
Differences Between 'Breach' and 'Compromise'
MARIANNE KOLBASUK MCGEE: In the HIPAA Omnibus final rule, it says breach is defined to mean "generally the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information." To start, what does that mean and is breach and compromise the same thing under HIPAA Omnibus? What's the difference?
ADAM GREENE: It's a very good question. For purposes of HIPAA, a breach is really a category of an incident. Some incidents are breaches; some are not. If an incident falls under this category, certain steps are required, such as contacting individuals, HHS and potentially the media.
In contrast, compromise refers to what happened to data. By looking at what happened to the data, you determine whether the incident is properly categorized as a breach. Entities should be very careful about throwing the word breach around when talking about incidents. For example, under HIPAA, it's not the same to say that information was improperly disclosed and that it was breached. Organizations should be careful about documenting incidents as breaches before they fully investigate and reach a legal conclusion that the incident is properly categorized as a breach.
Four Factors in Assessing a Breach
MCGEE: OCR suggests that organizations should figure out whether breaches need to be reported by assessing four factors. What are those four factors?
GREENE: In determining a breach, OCR has indicated that you need to look at whether the information was compromised based on four factors. The first factor is the type of the information, and they in the examples look to two different things here. One is the identifiability of the information. Information can be protected health information but may not be really identifiable because it doesn't have patient names or addresses. The other type of information that's relevant is the sensitivity of the information. Are we just talking about the fact that someone received healthcare services from a primary care physician or a general hospital, or is it more sensitive information with specific diagnostic information?
The second factor is the recipient. Who did this information go to? Did it go to someone who has legal protections to protect the information, to another covered entity or business associate? Did it go to someone who has no motivation to potentially misuse information? Or did it go to someone who either intentionally obtains the information such as an identity thief or someone who has a potential motivation to abuse the information?
The third factor was whether the information was actually accessed or viewed, looking at forensic evidence, if available, as to whether information on a laptop that was lost but then recovered was actually accessed or viewed.
The final step is mitigation steps. Based on actions taken after the disclosure, were you able to stop any potential compromise, like for example getting the information back or getting assurances that the information was destroyed before it was improperly further used or disclosed?
Applying the Four Factors
MCGEE: How should those four factors be applied to determine whether information was compromised?
GREENE: There's no single way to do it. There can be different approaches. I personally think that a quantifiable method is a good idea in that it demonstrates objectivity and that you have gone through the process, but different organizations will apply different scores and there's no single correct methodology. Another big question is how the factors interact? For example, if you fully mitigate a matter, do you give any weight to the other three factors? Or based on the fact that you fully mitigated it, is that enough? What's going to be most important is for organizations to go ahead and document in some way that they have addressed all four factors, but each organization should look to themselves or look at others in the industry as it becomes more readily available for methodologies that are objective and consistent.
MCGEE: When an organization tries to assess whether an incident should be reported, should they be basing this on their own documented definition of compromise, or should they first try to decipher what OCR defines as a compromise?
GREENE: I think either approach is fine as long as you're trying to do something consistent and it's fairly reasonable. For example, an organization can use a dictionary definition of compromise, and since we haven't received any more formal guidance as to what compromise means, I think that's a supportable position. This may actually lead to a pretty strict result in cases in which pretty much any impermissible use or disclosure might be considered a compromise.
On the other hand, recent statements from OCR suggest that compromise only occurs where there are potentially adverse effects to the individual. I think organizations can document this as a definition of compromise and use that until we get further guidance from OCR. This may actually lead to [fewer] things being considered breaches. For example, an improper snooping case by an employee where you have assurances and you have a reasonable basis to believe that there will be no adverse effects to the individual, that may not be a compromise based on this OCR interpretation that we've being hearing informally. It will be very important to stay tuned for further written OCR guidance and to incorporate such guidance.
Complexities of Compromises
MCGEE: Why might business associates and covered entities have difficulty in defining or determining what a compromise is? Besides the four factors, what other steps do you suggest they consider to help sort this out?
In contrast, if you go sanction the employee and you get assurances that the employee has not done anything with the information and will not further use or disclose the information, when you apply the four factors you may come to a completely different result. You may conclude that, based on the mitigation, the likelihood of the information having an adverse effect on the individual, on the patient, is pretty low. In that case, a different definition of compromise will lead to completely different results. No one likes this uncertainty...and so it becomes much more important to document a consistent objective approach, and I think if you have such an approach documented then you'll be in pretty good shape.
Applying the Harm Standard
MCGEE: Based on the previous harm standard which looked at whether an incident resulted in financial, reputational or other harm to a patient, do you think the definition of compromise will change now a lot in terms of what's sort of determined to be a reportable breach for organizations?
GREENE: We just don't know. Since January when this rule was published, we've seen some changes frankly in how OCR is interpreting compromise. We've seen in the earlier statements a focus on that this is a more objective approach than in the past, and far less at the harm to individuals. In contrast, we've heard more recent statements that suggest that compromise really is whether there's significant risk of reputation, financial or other harm. Or alternatively we've also heard that OCR states that compromise is whether there are adverse effects to the individual, which is essentially the same. There seems to be some differing interpretations coming out of OCR itself and we just are stuck with uncertainty. I expect we'll get some greater clarification in the months ahead, but we may always have some level of uncertainty here.
Determining a Compromise of PHI
MCGEE: Finally, do you have any other advice or thoughts about how organizations can determine whether there's been a compromise of PHI that means that the breach should be reported?
GREENE: Probably the most important one is don't forget about common sense. Whatever methodology you use, it may occasionally lead to absurd results. Always consider at the end of the day whether the results are reasonable. You don't want to be, for example, over-notifying because you have a methodology, but when you apply it then it leads to disclosures where there's really no potential adverse impact whatsoever.
On the other hand, you may have a methodology that when you apply it, it says you don't need to report a breach, but common sense would dictate the individual really should know about this because there may be some actions that the individual may need to take. Don't become kind of a slave to your methodology. Always apply that common sense at the end and adjust your methodology if you find that it's flawed. That's what this period of time leading up to September is a very good time to do. We have a practice time to put into effect the new compromise standard, and so it's good to test it now rather than applying this for the first time when a breach occurs after September, the compliance date.