1 What is a breach?
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security and privacy of PHI.
An impermissible use or disclosure under the Privacy Rule is assumed to be a breach unless the CE or BA demonstrates (based on a risk assessment) that there is a low probability that the PHI has been compromised.
To demonstrate that a breach has not compromised PHI, your practice must thoroughly assess the four requirements for determining a breach.
- Nature and extent of PHI involved in use or disclosure
- Types of identifiers
- Likelihood that PHI could be re-identified.
- Unauthorized person who used PHI or to whom the disclosure was made.
Determining if a Breach of Unsecured PHI has occurred
When you suspect a breach of PHI has occurred, first conduct a risk assessment in order to examine the likelihood that the PHI has been compromised. For you to demonstrate that a breach has not compromised PHI, you must thoroughly assess at least four required elements listed below:
- The nature and extent of the PHI involved in the use or disclosure
- The types of identifiers and the likelihood that PHI could be re-identified
- If the breach is encrypted data and you followed standard encryption specifications, it would not be considered a breach of unsecured data.
- The unauthorized person who used the PHI or to whom the disclosure was made.
What to do if you have a Breach
2 Reporting a Breach
If you determine that breach notification is required, there are three types of notification to be made to individuals, to the Secretary of HHS, and in some cases, to the media. The number of individuals that are affected by the breach determines your notification requirements. Visit the OCR Breach Notification Rule web page for more information on notifying individuals, the Secretary and the media.
You should also visit the OCR website of instructions on how to submit the breach notification form to the Secretary of HHS.
3 What is Secured PHI?
An unauthorized person cannot use, read or decipher any PHI that he/she obtains because your practice:
- Encrypts the information; or
- Clears, purges, or destroys media (e.g. data storage devices, film, laptops) that stored or recorded PHI;
- Shreds or otherwise destroys paper PHI
4 What is Unsecured PHI?
An unauthorized person may use, read, and decipher PHI that he/she obtains because your practice:
- Does not encrypt or destroy the PHI; or
- Encrypts PHI, but the decryption key has also been breached.
5 Seven-Step Approach for Implementing a Security Management Process
- Lead your culture, select your team and designate a Security Officer for your organization.
- Document your process, findings and actions.
- Review existing security of ePHI (Perform Security Risk Analysis).
- Develop an Action Plan.
- Manage and Mitigate risks.
- Attest for Meaningful Use Security-related objective.
- Monitor, audit, and update security on an on-going basis.
6 What Security Documentation should be retained in Case of Audit?
Records of Security Compliance should include, but not be limited to, the following:
- Policies and Procedures
- Completed security checklists
- Training materials given to staff and volunteers; copies of certificates of completion
- Updated BA agreements
- Security Risk Analysis Report
- EHR audit logs that show both utilization of security features and efforts to monitor users’ actions
- Risk Management Action Plan or other documentation that shows that safeguards are in place throughout your organization.
- Security Incident and breach information
7 What are some tips for a Better Security Risk Analysis?
- Educate staff about the iterative and ongoing nature of security risk analysis process.
- Make security a high priority in your workplace culture.
- Have an action plan that clearly assigns responsibilities for each risk analysis component.
- Involve your EHR developer in the process.
- Ensure that the risk analysis is specific to your situation.
8 What are the Security Risks with Different Types of EHR Hosts?
- Host Type Risk Mitigations
- Office-based EHRs Natural disaster could greatly disrupt availability of ePHI. Always store routine backups offsite.
- Office-based EHRs You directly control the security settings. Follow best practices on policies and procedures about access to ePHI. For example, use password controls and automatic logout features.
- Office-based EHRs When public and private information security requirements change, you have to figure out how to update your EHRs and workout any bugs. Routinely monitor for changes in federal, state, or private-sector information security requirements and adjust settings as needed.
- Cloud-based EHRs You are more dependent on the reliability of your Internet connection. Your data may be stored outside the U.S. and other countries may have different health information privacy and security laws. Confirm that your EHR host follows U.S. security standards and requirements.
- Cloud-based EHRs The developer may control many security settings. The adequacy of these settings may be hard to assess, but ask for specific information.
- Cloud-based EHRs In the future, the developer might request extra fees to update your EHR for compliance as compliance requirements evolve. Ensure your EHR stays compliant. Ask your developer about fees charged for security updates.
9 Who must Comply with HIPAA Rules?
Covered Entities (CEs) and Business Associates (BAs) must comply with HIPAA Rules. CEs include:
- Health care providers who conduct certain standard administrative and financial transactions in electronic form, including doctors, clinics, hospitals, nursing homes, and pharmacies. Any health care provider who bills electronically (such as a Medicare provider) is a CE.
- Health plans
- Health care clearinghouses
A BA is a person or entity, other than a workforce member (e.g. a member of your office staff), who performs certain functions or activities on your behalf, or provides certain services to or for you, when the services involve the access to, or the use or disclosure of, PHI. BA functions or activities include claims processing, data analysis, quality assurance, certain patient safety activities, utilization review and billing.
BA services to a CE can be legal, actuarial, accounting, consulting, data aggregation, information technology, administrative, accreditation or financial services. Many contractors that perform services for a CE are not BA's because the services they provide do not involve the use or disclosure of PHI.
10 Examples of BAs include:
- Health Information Exchanges (HIEs)
- E-prescribing gateways
- Person who provides data transmission services that involve routine access to PHI for a CE
- Subcontractor to a BA that creates, receives, maintains, or transmits PHI on behalf of the BA
- An entity that a CE contracts with to provide patients with access to a Personal Health Record on behalf of a CE
11 What Types of Information does HIPAA Protect?
The Privacy Rule protects most individually identifiable health information held or transmitted by a CE or its BA, in any form or media, whether electronic, paper, or oral. This information is called PHI which is defined as individually identifiable health information including demographic information that relates to:
- The individual’s past, present or future physical or mental health or condition
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
12 What is the HIPAA Security Rule?
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all ePHI that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit. The Security Rule contains the administrative, physical, and technical safeguards that CEs and BAs must put in place to secure ePHI.
13 What is Cybersecurity?
Cybersecurity refers to ways to prevent, detect, and respond to attacks against or unauthorized access against a computer system and its information. Cybersecurity protects your information or any form of digital asset stored in our computer or in any digital memory device.
It is important to have strong Cybersecurity practices in place to protect patient information, organizational assets, your practice operations and your personnel. Cybersecurity is needed whether your EHR is installed locally in your office or accessed over a cloud.
14 What is Encryption?
Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm. If information is encrypted, there is a low probability that anyone other than the receiving party who has the key to decode the message will read the message. HIPAA Watchdog’s Secure Messaging encrypts your emails that you send to patients or other providers. The messages are automatically decoded once they arrive at the intended address.