In 2017, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued fines and penalties of over $19 million for Protected Health Information (PHI) violations—a significant figure which indicates how serious the government views such incidents. Many of these fines came about as a result of the failure of Health Insurance Portability and Accountability (HIPAA)-covered entities to properly report data breaches on time—so it is just as important to know the exact procedure for reporting as it is to have a Privacy Policy itself.
The starting point is to understand that the definition of HIPAA privacy breaches is very broad. In a nutshell, a privacy breach is defined as any use or disclosure of PHI that is not permitted. It makes no difference how the privacy breach occurred: accidental, deliberate, idle staff room gossip, or even seemingly innocuous comments on social media—the consequences are the same.
The role of the privacy officer in dealing with a breach is vital, and can be pivotal in determining the extent of facility liability. The first thing that a privacy officer must do is conduct an initial review and risk assessment of the breach no more than thirty (30) days after becoming aware of the problem.
All investigations have to be thoroughly documented and all timelines kept intact, with proof, in order to avoid potential later repercussions from the OCR. This risk assessment should contain a review of the following:
1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been mitigated.
The Department of Health & Human Services (DHHS) says that there are three exceptions to the definition of “HIPAA Privacy Breaches.”
The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information. On this basis, the privacy officer should be able to determine if there has been a genuine damaging breach or not. Grounds for making such a determination can include evidence that the breach was trivial, or that a complaint was not made in good faith or is otherwise frivolous. Nonetheless, for security’s sake, a full record of the event and the conclusion reached should be kept for later review should it become necessary.
The situation changes if the breach appears to be genuine and falls within the parameters as laid down by the HIPAA Act. If so, the first step should be the reporting of the breach to the privacy committee for review. The committee will, as a matter of course, decide upon and implement corrective action to assist employees, vendors, or business associates to understand specific issues and reduce the likelihood of future HIPAA privacy breaches.
The law is very specific on the requirements for reporting PHI breaches to the authorities. If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Department of Health & Human Services Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered.
Affected individuals must also be informed no later than 60 days after discovery of the breach. The method of communication must be in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.
If the contact information for ten or more individuals is out-of-date, then the institution must provide “substitute individual notice” by either posting the notice on the home page of its website for at least 90 days, or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach.
If the out-of-date contact information is for fewer than 10 individuals, the institution may provide substitute notice by an alternative form of written notice, by telephone, or other means. These individual notifications must include a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further HIPAA privacy breaches, as well as contact information for the covered entity.
If the breach affects more than 500 individuals, the same stipulations apply with regard to reporting to the DHHS and the individuals concerned, but also to “prominent media outlets serving the State or jurisdiction” so as to ensure the widest possible alert being issued to potentially affected persons.
After that, the OCR will investigate the matter, and make a final ruling on whether the institution has been grossly negligent or not—and if all the guidelines laid down in this article and its predecessors have been followed, the chances of severe punishment will be slim.