When investigating a breach of IT network security leading to leakage of protected health information, HHS looks for consistency in the covered entity’s response — with both HIPAA rules and the organization’s own written procedures, according to a former official with HHS’ Office for Civil Rights.
OCR tends to “expect a perfect assessment done the same way every time,” said David Holtzman, now vice president of compliance at CynergisTek, Inc. Without an incident response program in place, organizations “will often forget a very important component,” he said. OCR also wants to see policies and procedures that are “almost a recitation of the notification process.”
When OCR investigates, as it does for all major breaches, its standard document requests include the policies and procedures the entity has on file, as well as the process that actually was followed in this instance, said Holtzman, speaking in an Aug. 7 webinar presented by the International Association of Privacy Professionals. “Often, when there’s been a breakdown” at a covered entity, he said, “somehow they got off track and didn’t follow their own internal policies.”
Under HIPAA’s breach notification rule, as amended in 2013, an impermissible use or disclosure is presumed to require notification unless a low probability of compromise is demonstrated. The rule specifies four factors that must be considered, but others may be included as well if part of a “fair, reasonable analysis,” Holtzman noted.
The first of the four factors is the nature and extent of the protected health information involved. “Determine the classification of data and the risk to individuals’ confidentiality,” Holtzman said. In considering the second factor, the person to whom the PHI was disclosed, evaluate not only whether the recipient has an independent obligation to protect it but also whether he or she has other information that might re-identify it, he continued.
Example. Patient dates of service and type of treatment were disclosed. An employer that obtains this PHI might be able to identify the individual based on an employee’s absences.
Determining whether the PHI was accessed — the third factor — may require a formal forensic analysis, added Marti Arvin, chief compliance officer at UCLA Health System. A formal forensic analysis is one “that could stand up in a court of law,” she noted. “Often, organizations don’t have someone with that expertise on staff,” so it may need to be outsourced.
The fourth factor, mitigation, can take the form of a confidentiality agreement by the recipient — if this is a reliable party — or proof that the PHI has been returned or destroyed, Holtzman continued. If a compact disk comes back in little pieces, for example, “that is good evidence of destruction,” he said.
Jeffery Vossenkemper, director for information security at University of Iowa Health Care, described a “spear-phishing” incident in which hackers duplicated the hospital’s human resources portal to extract employees’ username and password information, and used it to divert $50,000 from direct deposit accounts. The investigation confirmed that the attacker had accessed the email system, but that the access was limited to the HR portal emails, he said.
The mitigation measures the hospital adopted as a result included two-factor authentication, user awareness training and “dynamic phishing awareness campaigns” that included testing employees with fake phishing emails, Vossenkemper said.
“Training and education is so critical,” Arvin agreed. “That is where we find most of the issues.” She and Vossenkemper also spoke in the IAPP webinar.
Arvin recounted an incident where UCLA’s server was hacked. The hospital was alerted by the main campus about suspicious traffic, she said, but “we really had no evidence that the PHI had been compromised at that point,” so a full forensic analysis was performed. She distinguished this “defined process” from other instances where security staff have simply looked at a laptop to see if anyone had logged on.
When these steps are taken, employees need to understand the importance of following instructions like “don’t touch the server, don’t touch the laptop,” Arvin noted. “It’s going to require some coordination between your business unit and your compliance officer.”
Among the lessons learned from the incident was the need “to plan ahead and have an incident response plan that has a template already outlined,” Arvin said. The plan should specify who takes the lead in breach response — at UCLA, for example, that can vary depending on the type of incident.
Also, “consider pre-planning what services you might need, and get a master contract with vendors,” Arvin added. “Many of these entities are very willing to do that type of master agreement.”
HIPAA’s breach notification requirements are detailed in the Employer’s Guide to HIPAA Privacy Requirements.