5 minute read
Regulatory Compliance: How To Manage Patient Information Breach Assessment and Notification
CDA Practice Support
Every health care provider in California should be aware of the procedures to provide notification to the affected parties of a patient information breach. The state data breach law applies to most businesses and government agencies and is applicable to certain types of electronic information. The HIPAA breach notification rule applies to covered entities and is applicable to “protected health information” in all formats. Although many health care providers have cyber liability insurance coverage that will assist in carrying out required notifications, providers should understand their obligations.
Advertisement
What Information Triggers Notification Requirement?
The state breach law requires notification when certain categories of unencrypted electronic information are accessed impermissibly. The information includes an individual’s first and last name, or first initial and last name, in combination with any of the following:
■ Social Security number.
■ Driver’s license number or California identification card number.
■ Account number, credit/debit card number, in combination with any required security code, access code or password that would allow access to the person’s financial account.
■ Medical information, defined as “any information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a health care professional.”
■ Health insurance information, defined as “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including any appeals records.”
■ A username or email address in combination with a password or security question and answer that would permit access to an online account.
■ Information or data collected through the use or operation of an automated license plate recognition system.
The HIPAA breach notification rule applies to “protected health information” in all forms — electronic, oral and hard copy. Personal health information (PHI) is individually identifiable health information held or transmitted by a covered entity or its business associate. HIPAA does not cover employee or education health records, as those are covered by different laws.
HIPAA Breach Risk Assessment
Any impermissible disclosure or use of PHI is automatically assumed to be a breach. HIPAA requires breach notification unless a covered entity determines the impermissible use or disclosure is either one of four allowable exceptions or there is a low probability the PHI was compromised after the covered entity performs a breach risk assessment. The four allowable exceptions are:
1. The unintentional acquisition, access, use or disclosure of PHI by a staff member or a business associate acting in good faith and with the scope of their job responsibility as long as the breach does not result in further impermissible use or disclosure.
2. The inadvertent disclosure of PHI to another person who is authorized to access PHI at the same business.
3. The covered entity determines that the unauthorized individual who received the PHI is unable to retain it.
4. Low probability that the PHI in question was compromised. Such a determination must be documented in conjunction with the logging of the impermissible use or disclosure. The finding of low risk of compromise also must be documented when a covered entity performs a breach risk assessment. The assessment must consider the following when determining whether PHI was compromised:
■ Nature and extent of patient information involved.
■ Who received/accessed the information.
■ Potential that patient information was acquired or viewed.
■ Extent to which risk to the data has been mitigated.
A three-point scale (high, medium, low) for each consideration can be used to assess overall risk. If a covered entity determines the risk of compromise is low, then the risk assessment must be documented. HIPAA documentation must be retained for at least six years from the incident date or, if it is a policy or procedure, the last effective date. Documentation of a breach risk assessment is not required if the covered entity proceeds with notifying the affected individuals.
Examples of impermissible uses and disclosures of PHI on which a HIPAA privacy officer may want to conduct a breach risk assessment include:
■ Staff leaving a detailed message for a patient with someone the patient did not authorize to receive such information.
■ Ransomware.
■ Paper charts found in a dumpster or possessed by an unauthorized individual.
Breach Notification
The state breach law requires data breach notification immediately following the discovery of the breach and can be provided by written or electronic notice. In the case of a breach of a username or email address in combination with a password or security question answer, electronic notification shall not be sent to an email address that was subject to the breach.
HIPAA-covered entities must provide notification “without unreasonable delay” and in no case later than 60 days after the breach is discovered. If a business associate discovers the breach, the 60-day count starts on the day the business associate discovered it even if the business associate delays informing the covered entity.
Both state law and HIPAA require specific content for the notification. California also specifies the format of the notification, requiring the use of headers. If a business offers credit monitoring to affected individuals, the state requires that it be offered free of charge and for a duration of not less than 12 months.
If 500 or more individuals are affected, non-HIPAA-covered entities must notify the state attorney general’s office. HIPAA-covered entities must notify the U.S. Department of Health and Human Services and prominent local media outlets within 60 days of breach discovery. If fewer than 500 individuals are affected, a HIPAAcovered entity must notify HHS of the breach no later than 60 days into the following year (March 1 in non-leap years).
A breach notification checklist and sample notification letter are available in the Practice Support section of cda.org. n
