Archive for August, 2009
Consider these tips to maintain compliance with the HHS interim final rule on breach notification:
Know what constitutes a breach. Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, says covered entities (CEs) and business associates (BAs) must read closely and understand section 164.402 of the interim final rule on definitions, especially the definition of a breach. “The exclusions listed are commonly the cause of much confusion,” she says.
Know when to provide notification. CEs should know they must provide breach notification to affected individuals, and BAs should know they must notify CEs as soon as possible when breaches occur, Herold says. “Great confusion and harm could result if a BA notified individuals and provided inaccurate, incomplete, or otherwise inappropriate information,” she adds.
Sharpen your training. Under section 164.530 of the interim final rule, CEs must train all staff members on the new requirements. The clock starts ticking on the notification requirements as soon as you know—or reasonably should have known—about the breach, says Chris Simons, RHIA, director of UM & HIMS and the privacy officer at Spring Harbor Hospital in Westbrook, ME. Staff members should receive training on how to report any breach regardless of its significance, and ongoing communication is also crucial for compliance, Herold adds. “Make sure you are providing effective training,” Herold says. “Effective training is a comparatively low-cost activity, but can provide the greatest impacts for improving information security and privacy.”
Registration puts the patient’s primary physician on the registration screen. When lab faxes the results, it goes to the ordering physician and goes to the primary care physician. We do not ask patients if they want their labs results to go to their family or primary care physician.
Is this a HIPAA violation?
Diane Arrants, IT Director/Privacy and Security Officer
HHS’ interim final rule on breach notification released last week included most of the same requirements in the HITECH Act regarding breach notification:
- Immediate notification to victims on all breaches
- Notification to HHS on all breaches; immediate if 500 or more victims
- Notification to media outlets on breaches of 500 or more patient records
- Valid encryption processes for PHI in databases consistent with National Institute of Standards and Technology (NIST)
However, there is something new and significant — a “harm threshold” provision that will help covered entities and business associates (BAs) determine whether or not to report a breach.
HHS says in the interim final rule that many commenters on the draft guidance in April suggested HHS add a “harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual.”
Now, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause “significant risk of financial, reputational, or other harm to the individual”?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer’s data was not accessed?
In certain cases, if the information includes only a patient’s name and the fact they’ve had services at the hospital, that’s no harm, no breach. But what if the information includes the patient’s oncology treatments? Lots of potential harm there. And that’s a breach.
This is good news for covered entities, especially when you look at all those faxes including PHI that go to the wrong address in a hospital. If that fax goes to another HIPAA covered entity who immediately shreds it, no breach notification required.
“It’s good news since it appropriately lets organizations off the hook when the breach, as defined by the Recovery Act, doesn’t appear to put the patient or plan member at measurable risk,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Chris Simons, RHIA, director of UM & HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME, says the harm threshold provision in the interim final rule leaves the rule “nowhere near as strict as I was expecting.”
“Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported,” Simons adds.
Covered entities and BAs may get off the hook on some breaches with good reason, as cited above. But at other times the harm threshold may lead them down the wrong road, misjudging or underrating the impact of the breach.
“The bad news from a privacy compliance perspective is that while the harm threshold approach requires organizations to perform and document a risk assessment in every instance,” Borten says, “introducing the concept of a subjective harm threshold can be seen as a big loophole that some organizations will stretch.”
After reviewing the released breach notification Guidance, several observations came to my mind.
It is readily apparent that those who submitted comments were focused on getting additional clarification in several areas where the original Guidance was a bit sketchy. This included such areas as the content of notices being used to indicate a breach to those affected and how to determine the level of broadcast media needed to satisfy the expectation that those affected would be notified of a breach.
In addition, there were various scenarios presented which in my opinion were very representative of the types of situations that would be expected to occur on an ongoing basis. Particularly these included a patient originally being given the discharge instructions of another patient by a nurse and the recipient of a misdirected email reading message content, to include PHI, which was not intended for another.
What struck me most about the interim final rule was that it was not primarily focused on clarifying syntax of the previously released Guidance or indicating the use of different wording in the originally released text related to the notification requirements but rather it seemed to be more focused on filling in those gaps or blanks which the previous Guidance seemed to gloss over.
It is my conclusion that the effectiveness of the newly released Guidance is representative of the thought and effort that went into the comments that were directed to HHS for review and response. This was particularly highlighted by the comments shared within the interim final rule which spoke to the different scenarios on how the number of breaches would either trigger or not trigger certain notifications.
This was a level of detail and hypothetical analysis that caught me by surprise, albeit much welcomed.
It is difficult for me to imagine that this recent Guidance did not answer more questions that it may have raised. Certainly people may still have questions, but at least now we can all turn to the same body of work and share some common reference points when moving forward in getting these questions answered.
HIPAA Boot Camp
Q. Generally, who in a hospital maintains and tracks business associate (BA) agreements? Is it information systems staff members, the security officer, the compliance officer, or someone else?
A. The procedure for handling BA agreements varies from one organization to the next. Many organizations require legal counsel to review all contracts before they are finalized, and this is a good way to ensure that contracts include a BA agreement if necessary. Legal counsel may have responsibility for maintaining a database of all contracts. Alternatively, the compliance or materials management staff may do this.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.