Jeannine LeCompte, Compliance Research Specialist
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule established appropriate safeguards that healthcare providers and others must maintain to protect the privacy of protected health information (PHI). This issue has become increasingly important as most facilities have moved to electronic health record (EHR) keeping.
According to guidelines set by the US Department of Health & Human Services (HHS), measures to protect EHR systems must include at the very minimum:
- The use of access control tools like passwords and PIN numbers
- The encryption of stored information
- An “audit trail” feature, which records who accesses information, what changes are made, and when
However, the dramatic increase in hacking activities and the appearance of ransomware attacks, which seize control of and delete patient records, requires increasingly powerful protective measures.
A data breach, also called a security or privacy breach, is defined as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
Federal law requires all healthcare providers to notify affected individuals and the Secretary of Health and Human Services of any data breaches. If a breach affects more than 500 residents of a state or jurisdiction, the healthcare provider must also notify prominent media outlets serving the state or jurisdiction. This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable for EHR protection.
CMS guidelines for dealing with data breaches state that the very first step must be an immediate “fix” for any technical or other problem to stop the incident. The facility should also take steps to mitigate any impermissible disclosure of PHI.
Next, the facility must report the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service.
If a law enforcement official tells the facility that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing, or for 30 days, if the request is made orally.
Skilled nursing facilities (SNFs) should make it a priority to invest in the very latest and best IT technology, because sanctions for data breaches are actively enforced by the HHS’s Office for Civil Rights (OCR).
The facility should, under normal circumstances, report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.
The OCR presumes all cyber-related security incidents where PHI was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident, or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach.
OCR enforcement for a failure to have the correct policies and procedures in place can be severe. HIPAA Settlements—the term used by OCR when finalizing sanctions against healthcare providers—regularly run into the millions of dollars, when it can be shown that facility negligence or the failure to follow set policies and procedures are to blame for EHR data losses.