HIPAA Breach Notification Rule

As of the so-called HITECH Act, covered entities and their business associates must report certain breaches of HIPAA to DHHS which can result in seven-figure fines, lawsuits, bad publicity, and other sanctions. Remediation costs may be immense, such as the $17 million incurred by Blue Cross/Blue Shield of Tennessee on top of the $1.5 million civil money penalty for not having sufficient security to prevent a burglar from stealing all their computer equipment and media with millions of individuals’ health insurance data. That is not the only method DHHS may learn of a breach, however. Civil money penalties have resulted from complaints by patients, and one even resulted from a newspaper story. Civil money penalties to date range from $50,000 to two in the $4 million range. And a $50,000 or low six-figure fine may doom a small practice. And these fines cannot be discharged in bankruptcy because they are imposed as a punishment rather than compensating the government for that money it had expended. The largest civil money penalty is reserved for breaches that are not handled properly, capped at $1.5 million for identical such breaches in a calendar year. And DHHS considers that, say, if you lose an unencrypted laptop with no other reasonable and appropriate security in its place, it constitutes a separate violation for each patient’s data on the lost laptop. In addition, patients and others who complain to DHHS may receive a portion of any fine, thereby providing an incentive to complain. Also, an audit by DHHS may lead to a civil money penalty.

Nor are these penalties reserved for large practices. Fines have been assessed against two-physician practices and a small hospice in North Dakota. Being not-for-profit provides no immunity, nor does being a government entity. Alaska Medicaid was fined $1.5 million; and a county government (Skagit County in Washington State), $215,000.

Thus, it is crucial to know how to avoid breaches, how to investigate a security incident, how to determine whether it is a breach, when you have to report a security incident to DHHS (and sometimes to state agencies), and how to mitigate (lessen) the harm of a breach. How a so-called covered entity responds to security incidents and breaches receives great scrutiny in DHHS audits and is a factor in determining whether a sanction is warranted and in lessening the fine from what it otherwise might be.

HIPAA requires covered entities to, in addition to its Privacy Officer, have a complaint procedure and a complaint official (who can be the Privacy Officer) in addition to having a report procedure and a response (how do you handle the report) procedure. Failure to have these elements of HIPAA compliance or having inadequate ones constitute a breach of the HIPAA requirements.

The webinar, given by an expert HIPAA consultant, author, attorney, and expert witness, will begin an introduction stressing the importance of complying with the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), including lessons learned from covered entities who settled a violation in lieu of a civil money penalty that is likely to cost upwards of six-figures. Then, the webinar will continue with defining a security incident and providing examples. All breaches are initially security incidents but not all security incidents are breaches. The discussion will cover both:

• Your internal definition
• HIPAA’s definition

This portion re incidents will conclude with a discussion of the HIPAA requirement for a Security Incident Report and Response Procedure including what such documents must contain. A recent settlement in lieu of a civil money penalty was largely because of failure to have this required HIPAA document.

The next major topic is the HIPAA definition of a breach. The webinar will focus not only on the definition of a breach but the Omnibus Rule’s new explanation as to what isn’t a breach which must be understood so as not to report something that is not a breach and hence is not reportable with all the adverse consequences of reporting.

The next topic covers the HIPAA definition of what is a reportable breach. Failure to report a reportable breach is itself a violation that can lead to a civil money penalty. In 2017 Presence Health settled the first action in the history of HIPAA enforcement to be levied for failure to properly notify patients of a breach of unsecured protected health information (PHI) for $475.00.

The HIPAA test for whether a breach is reportable requires covered entities to use the National Institute for Standards and Technology four-part (“NIST”) test for determining whether the presumption that a breach will cause harm has been rebutted. The webinar will include an example of a real-life NIST analysis to demonstrate how to perform such a test properly.

Then the webinar will cover how do you report a breach?

• To affected individuals.
• To the Department of Health and Human Services.
• To prominent local media—television stations, radio stations—newspapers in relevant zip codes.
• To others—other state and federal laws requiring reporting, in some cases when HIPAA would not require reporting. Many states require reporting of Personally Identifiable Information (PII) breaches which includes Protected Health Information (PHI).

The final topic will cover the procedure for handling a potential breach:

• What should one who discovers or suspects a security incident should do?
• The necessity for immediate action.
• Submitting the security incident report.
• Action to take upon receiving the report.
• Investigating the incident.
• Determining whether it is a breach and, if so, is it reportable?
• Taking proper steps to mitigate (lessen the harm of) a breach.
• How to respond if notified of an HHS investigation?

The webinar will conclude with a summary and a question and answer session.

Topics which will be covered in the session (bulleted point)

• Introduction.
• Why do we need to understand this topic?
• The HIPAA definition of a security incident.
• Your internal definition.
• HIPAA’s definition.
  • The HIPAA definition of a breach.
  • The HIPAA definition of a reportable breach.
  • The HIPAA test for whether a breach is reportable using the National Institute for Standards and Technology (“NIST”) test.
  • How do you report a breach?
  • To affected individuals
  • To DHHS
  • To others
• Example of a NIST analysis.
• How do you mitigate the harm of a breach?
• How do you respond if DHHS investigates the breach?
• Conclusion and question and answer.

This webcast will be of a valuable assistance to the below audience.

• Healthcare Security officers
• Privacy Officers
• IT Directorss
• Health Information Management Directors
• Compliance Officers
• Owners
• All healthcare organizations that are covered entities (virtually all providers and health plans)
• Law Firms Representing Healthcare Organizations
• HIPAA consultants
• American Health Information Management Association/li>
• Healthcare Financial Management Association