This article is reprinted from Healthcare IT News with the author’s permission.
The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents.
If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should:
- The requirement for a mandatory incident-specific risk assessment for every incident
- The fact that HITECH notification provisions do not pre-empt state notification laws
- Encryption of data does not necessarily alleviate the risk of data breach
- If your business associate exposes your protected health information (PHI), you are responsible
1. Mandatory incident-specific risk assessment. When HHS issued its Interim Final Rule giving healthcare organizations guidance for complying with the HITECH Act data breach provisions, it added a new requirement. The requirement is that the organization carry out an incident-specific risk assessment to determine the potential risk of harm to the individuals affected by each and every data breach incident. The rules establish a “harm threshold” for notification, but unfortunately, don’t make the determination of risk and the potential of harm. It is essential to become well versed in these rules and be prepared to carry out a HITECH compliant data breach incident risk assessment.
2. HITECH doesn’t pre-empt state notification laws. While HITECH is the first national law for notification in the case of privacy information breaches, most U.S. states also have breach notification laws. And while the intent of these laws is similar — to make individuals aware that their PHI may have been improperly disclosed — the specific details in all of these laws can actually vary a great deal. But because HITECH is not “preemptive,” a healthcare organization that has experienced a data breach must ensure that it complies with both HITECH regulations as well as the regulations in every state where individuals are affected. This can be daunting especially because HITECH and state laws in some cases are conflicting.
3. Encryption not a silver bullet. There is a lot of advocacy for encryption of PHI as a means to avoid data breach incidents. The general argument is that if data is encrypted, that data breaches will not occur. Unfortunately, this is overly simplistic. While encryption will assist healthcare organizations in avoiding certain types of data breach incidents, it is not a panacea. For instance, a common threat approach is for a criminal or organized crime entity to enlist an “insider” to assist in extracting PHI. An insider with valid access credentials will not find encryption to be an obstacle in any way. As a result, consider encryption one of many tools for information protection, not a silver bullet.
4. You are responsible for your business associate. For the first time, HIPAA business associates are required to meet the HIPAA Privacy and Security Rule requirements based on HITECH. While this is a good thing, a covered entity should not consider this a “free pass” if one of your business associates exposed PHI that was provided by your organization. While you may be able to hold them financial accountable, if you’ve specified for such eventualities in your business associate agreements, the obligation for notification is still with the covered entity. It is your responsibility to maintain the privacy for the PHI, no matter to whom you entrust it. And of course, the affected patients will hold you responsible as well.
As you put processes and procedures in place to meet HITECH obligations, consider also putting in place a comprehensive and current data breach incident response plan. This will prevent a lot of headaches and last-minute scrambling, should you be faced with a data breach.
ID Experts provides professional Data Breach Services for the healthcare industry.