Preventing and Managing Security BreachesSeptember 2009
On August 19, 2009, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released interim final regulations implementing the Health Information Technology for Economic and Clinical Health Act (“HITECH”) mandate that health care providers notify their patients of information security breaches. Providers are encouraged to take steps now to respond to the new requirements.
Just as certain exams and diagnostic tests can help detect illness early, when it can more efficiently and effectively be treated, similar measures can help physician practices prevent security breaches in the first place, and minimize practice expense and disruption when breaches do occur. These include:
- Hiring knowledgeable consultants to perform security risk assessments. The Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule, which has been in effect since April 2005, requires covered entities that create or maintain electronic protected health information (“PHI”) to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities” and follow up to mitigate these risks and thus avoid breaches in the first place.
- Reviewing contracts with eRX (e-Prescribing), EHR (Electronic Health Records) and PHR (Personal Health Records) vendors. Work with your attorneys to review contracts you may already have with software vendors whose products are in use in your practice. Make sure they promise compliance with HIPAA and the National Institute of Standards and Technology (“NIST”) standards. Now is a particularly good time to review: the agreements may need to be updated to comply with new HITECH requirements for business associate agreements.
- Developing policies for identifying and responding to breaches. It is more efficient to decide now how your practice will respond to a breach than to handle it the throes of an emergency. Proactive steps can help ensure an efficient and effective response without disrupting regular operations. Your policy should define “breach,” identify who has primary responsibility for investigating and managing a reported breach, establish a communications strategy for patients, OCR, media, and others including payors whom you may be required to inform, and more. Work with knowledgeable counsel to make sure your policy complies with HIPAA and the new HITECH regulations.
Figure 1 summarizes how to identify a breach and associated reporting requirements.
Breach. A breach is the unauthorized “acquisition, access, use, or disclosure of protected health information … which compromises the security or privacy of the [PHI].” PHI is compromised if the unauthorized activity “poses a significant risk of financial, reputational, or other harm to the [patient].” Certain unintentional or inadvertent uses or disclosures are not considered breaches, but these exceptions are limited. Unauthorized access includes access by an employee for purposes not permitted by HIPAA or the practice’s privacy policies.
Unsecured PHI. PHI is secured if it is “rendered unusable, unreadable, or indecipherable to unauthorized individuals[.]” Under the new guidance, this means that the PHI is encrypted according to standards published by NIST, or has been completely destroyed. Because it is not possible to encrypt or destroy all information in use at any given time in a practice, some data will always be at risk of a reportable breach.
Reporting. If a breach involves just one or a few patients, those patients must be notified within sixty days and the breach must be listed in an annual report to OCR. But if the breach involves 500 or more patients, prompt reports also must be made to the news media and OCR. Providers who identify otherwise unreported breaches must also submit an annual log of those breaches to OCR.
Every practice is susceptible to security breaches. Proactive measures can help a practice avoid preventable breaches and minimize the impact of any breaches that do occur.