How to 'Frame' Breach NotificationsComplying With the HIPAA Breach Rule
Encryption, staff training and audits of patient records access are three essential healthcare information breach-prevention steps, says attorney Robert Belfort.
Belfort urges healthcare organizations to encrypt data on mobile devices and media, educate staff about the sanctions they'll face if they're guilty of a breach and conduct internal audits of records access. "The belief that ... there's a high risk that if you access a record improperly you will be caught through some sort of audit trail review can have an important impact on behavior," he stresses.
In an interview with HealthcareInfoSecurity's Howard Anderson (transcript below) Belfort also notes organizations face a "difficult balancing act" in notifying patients of a breach and ensuring the risks aren't exaggerated.
The most difficult aspect of breach notification, Belfort says, is "figuring out how to frame the discussion in a way that balances the obligation to alert individuals to what's happened without causing unnecessary worry or exaggerating the risks that individuals really face."In the interview, Belfort also:
- Describes how to weigh whether an incident needs to be reported as a breach based on the HIPAA interim final breach notification rule's requirements. This involves three steps: determining whether there has been improper access to information; whether the information involved was properly encrypted, and whether the improper access created a significant risk of financial, reputational or other harm to individuals whose information was accessed.
- Describes how to determine whether to offer breach victims free credit protection services.
Belfort is a partner at the national law firm Manatt, Phelps & Phillips LLP. He specializes in advising healthcare organizations on regulatory compliance and transactional matters. His areas of expertise include fraud and abuse, HIPAA compliance and managed care issues.
HOWARD ANDERSON: For starters, why don't you tell us a little bit about your firm and your activities in healthcare?
ROBERT BELFORT: I'm a partner in Manatt, Phelps & Phillips LLP. We're a national law firm with offices in California, New York and Washington, D.C., and a significant part of our firm is dedicated to providing legal services to the healthcare industry. My practice focuses on healthcare regulatory compliance, and a significant component of that involves compliance with HIPAA as well as state and other federal privacy laws.
Assessing a Healthcare Breach
ANDERSON: What steps should healthcare organizations take when assessing whether a breach merits reporting to federal authorities as well as the patients affected?
BELFORT: This has been a very challenging area for healthcare organizations, in part because there are several steps in determining whether a breach has occurred, and in many of those steps there's a lot of uncertainty ... about how to interpret the law. We're involved frequently in trying to help organizations decide whether an incident does constitute a breach and needs to be reported and have seen a variety of scenarios where they're really judgment calls to make about whether the standards set forth in the law and the regulations have been met.
The other complicating factor here is that the rules implementing the HITECH [HIPAA] breach notification requirement were originally issued in what are called interim final form, which means they were final but there were comments solicited. In response to comment from the industry, HHS announced that it was not going [delay] a final rule ... and there has still been no final rule issued. I think there's a lot of uncertainty not only about how to interpret the current rule but the extent to which the current rule is going to ultimately be the standard that has to be applied.
But with that said, I think the first step in assessing whether there has been a breach is trying to figure out whether there has been improper access ... to protected health information, and that has not gotten as much attention as the decision-making about the "risk of harm" standard, which I will talk about in a minute. But it's less obvious than one might think as to whether improper access has occurred in all cases. There are times when information may have been obtained by others, when items have been lost, or whether the circumstances surrounding information are not clear, and there are often judgment calls to make about whether it's likely that an unauthorized person accessed information. We've seen some scenarios that range from things like there was a missing CD that was last seen by somebody in a secure area above a trash can, and the assumption was that it somehow ended up in the trash can and wasn't accessed by anybody; but nobody can really prove that. It's those kinds of situations where I think they are difficult decisions to make about whether there has been improper access.
If you pass us that threshold question, there are certain exceptions for inadvertent, good-faith acquisition by employees within the organization. You need to assess whether it's possible that this exception was satisfied. If not, the next question is whether the information was unsecured in the way that's defined under HITECH. HHS has issued guidance indicating that if information is encrypted in accordance with certain standards, then it will not be deemed unsecured, and even if there was improper access it would not constitute a breach. This is often a frustrating issue for organizations that confront lost laptops or other portable media where encryption is really not that challenging from a technical or cost standpoint. But there's still a significant number of cases where unencrypted information on portable media has been the subject of a breach.
If the information is unsecured, then the final question, which is the one that has gotten most of the attention, is whether the improper access created a significant risk of harm. Harm can mean financial, reputational or other harm to the individuals whose information was accessed. There are often a number of factors that have to be considered in whether there has been a significant risk of harm. That includes the type of information that was the subject of the improper access. Does it include sensitive information like Social Security numbers or credit card numbers that could be the basis for financial fraud? Or does it include the type of medical information that could be embarrassing or otherwise harm the reputation of the individual?
Also important to consider is: who accessed the information? Was it someone who had a duty to keep it confidential, such as another healthcare provider, or was it someone who either has no duty or appeared to actually have bad motives when acquiring the information? Another factor that would be considered is when the person accessed that information, what did they do? If they called up the organization and told them that they had improperly received material, [then] that would suggest that they didn't intend on misusing it and would strengthen the case that there wasn't a risk of harm to the individual.
One of the struggles that organizations have now with the risk of harm standard is that obviously there's no bright line, so while there are certain cases that clearly fall on one side or the other, there are a lot in the gray area. Organizations are, on the one hand, concerned about sending notices to individuals where they really don't think the individuals are at risk. It causes unnecessary concern by patients and obviously damages the reputation of the organization - often in ways that don't seem warranted. On the other hand, the industry seems to be very concerned about HHS taking an expansive view of the risk of harm standard, and it appears that a lot of organizations are reporting incidents that arguably don't cause or don't create a significant risk of harm but are erring on the side of interpreting that standard very expansively to avoid any potential claim that they didn't report a breach when they were supposed to.
ANDERSON: In notifying patients of a breach as required under federal rules, what information needs to be provided, and what is the best way to frame that information?
BELFORT: Well, there are certain facts that the HIPAA breach notification rule specifies has to be included in the notice such as the date of the breach, the nature of the incident, what kind of information was contained in whatever material was improperly accessed, and what the organization is doing to try to rectify that problem. It's usually pretty straight-forward in terms of figuring out what facts have to be contained in the notice.
I think the more difficult element of the notification is figuring out how to frame the discussion in a way that balances the obligation to alert individuals to what has happened without causing unnecessary worry or exaggerating the risk that individuals really face. That's a difficult balancing act.
On the one hand, I think organizations have to be concerned that if they underplay the significance of the breach, they will be accused of not being forthright with patients, of not discharging their obligation to fully inform them of the risks. On the other hand, there are many incidents that have been reported as breaches where most people would agree that the likelihood of patients being harmed is very low, and it really doesn't serve consumers' interest to have an exaggerated sense of what their risks really are. I think part of the challenge is finding the right balance, which will really be different in each case depending on the nature of the incident where the provider organization can feel that they've been honest and transparent, but also try to reassure individuals that the likelihood that they might be harmed is actually relatively low.
The mistakes that can be made are erring too far on one side or the other in that balancing act. There have been cases where, in my view, providers have issued notices where I just don't think there was really a risk of harm, and maybe not even improper access; where there were vulnerabilities in the provider's security systems or other incidents that suggested that the risk patients could be harmed was exceeding low. I understand the motivation behind reporting those as breaches, but I think there may be an over-reporting that's going on within the industry right now, and I'm hoping that there will be some clarification in the final rules that makes it easier for organizations to figure out when reporting needs to be done. I am unfortunately a bit skeptical about whether that is going to really happen.
Weighing Free Credit Monitoring
ANDERSON: How should organizations go about determining whether to offer breach victims free credit monitoring?
BELFORT: Usually the consideration that's most important in that determination is the nature of the information that was disclosed in the breach and particularly whether that information included a Social Security number, credit card number or other information that would likely be linked to any type of financial fraud. Where the disclosure involved purely medical records with demographic information that could probably be obtained from public sources, most organizations would take the position that there's no real risk of financial fraud. There might be a risk of reputational or other type of harm and, as a result, free credit monitoring wasn't necessary. The statute and regs don't require free credit monitoring. The law requires organizations to mitigate the potential harmful effects of an improper disclosure. And so I think that mitigation really needs to be linked to the type of information disclosed.
If a patient's name or address or phone number was disclosed with medical records, it's hard to see how that would be used for financial fraud, and so I think the likelihood of the need for credit monitoring would be low. The rule of thumb is to really look at the type of information and whether it could be linked to some sort of financial problem.
Breach Prevention Steps
ANDERSON: Finally, based on the major breaches reported to federal authority so far, what do you see as the top three steps organizations can take to prevent breaches?
BELFORT: I think the major thing that organizations can do should reflect the kinds of incidents that are triggering breaches, which it's very easy to identify by going to the HHS website where all the breaches, at least those involving large numbers of individuals, have been reported as required by HITECH. And the overall trend in that area is that most of these breaches are the result of what I would call relatively low-tech problems, rather than high-tech problems. They are not being caused by hackers or sophisticated people who are penetrating systems - not to diminish the importance of protecting against that. But I think the low-hanging fruit in this area to prevent the kind of incidents that are really generating most of the breaches is to look at a few things.
Number one is disproportionate shares of breaches involve portable media or devices like laptops, thumb drives, CDs - things of that nature. And as I mentioned before, it's not difficult to encrypt information on those kinds of media and devices. And so, at this point, even though encryption is what's referred to as an addressable standard in the HIPAA security rule - which means it's not actually mandated in all cases - I don't see any reason why information shouldn't be encrypted in all cases on portable media and devices. ... That's one step that organizations can take that I think can address a very significant share of the types of breaches that are occurring.
The other thing that I think is a major source of the notifications is what I refer to as insider problems, and by that I mean individuals who have access to the system, accessing information for improper purposes, whether it be to commit fraud or just out of curiosity because it's a celebrity or it's someone that they work with within the organization whose records they're looking at, or a family member. Focusing on the insider risks is particularly important and entails training, emphasizing with employees that even well-intentioned improper access is actually a crime under HIPAA - that even if an employee believes that they only have the individual's best interest at heart, by looking at their records, if they aren't authorized to do that, they will be terminated and potentially be subject to criminal prosecution. And [it's important to] back up that training up with internal auditing. The belief that audit logs are being monitored and that there is a high risk that if you access a record improperly you will be caught through some sort of audit trail review can have a very important impact on behavior within an organization.
I would say that those things are not that expensive or technically difficult to implement, and if organizations did those things they wouldn't prevent all the potential breaches, but they would go a long way to eliminating some of the common incidents that occur.