The Complete Guide To Reporting A Healthcare Data Breach The Right Way

The Complete Guide To Reporting A Healthcare Data Breach The Right Way

Reporting a Data Breach to HHS – Collect All the Information the First time

As of today, there have been 1694 data breaches reported to The Department of Health and Human Services, which have impacted over 168 million individuals. The numbers continue to increase at a rapid pace with a clear concern for data breaches in 2016 and continuing forward into 2017. The final breach notification rule requires that healthcare organizations conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.” What does that actually mean and how do you prove “low probability?”

To start, a Breach risk assessment should be completed on each unauthorized use or disclosure of protected health information. As part of the breach risk assessment, four objectives questions must be asked and answered Every Time an investigation is completed:

  1. The nature and extent of the PHI involved in the data breach, including the types of identifiers and likelihood of the re-identification
  2. The unauthorized person (people) who used the PHI or whom it was disclosed to
  3. Whether the PHI was viewed, acquired, or re-disclosed
  4. The extent to which the risk to the PHI has been mitigated

Phew, you answer these question and you now have all the documentation you need to evaluate the potential breach and submit information to the federal government if it is determined that a breach occurred. WRONG!!! Many more data elements must be collected during the investigation in the event that a data breach needs to be reported to DHHS. The notification submission method for a data breach from the Secretary of HHS was recently updated – which has more clear data elements and requirements for reporting purposes. Understanding the data elements that must be reported is the foundation of creating a proper method for investigating and documenting a data breach. With the updated reporting form, covered entities and business associates must be ready to report all of these data elements:

  • Are you a Covered Entity, Business Associate on behalf of a Covered Entity, or a Covered Entity on behalf of a Business Associate?
  • Name of Covered Entity
  • Type of Covered Entity
  • Address
  • Covered Entity Point of Contact
  • Breach Affecting (Over 500 or more individuals or Under 500 individuals)
  • Breach Start Date
  • Breach End Date
  • Discovery Start Date
  • Discovery End Date
  • Approximate Number of People Impacted
  • Type of Breach (Hacking/IT Incident, Improper Disposal, Loss, Theft, Unauthorized Access/Disclosure)
  • Location of Breach (Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other Portable Electronic Device, Paper/Films, Other – Must enter a location)
  • Type of Protected Health Information Involved (Clinical, Demographic, Financial, Other-Must enter details)
    • Clinical (Diagnosis, Lab Results, Medications, Other Treatment Information)
    • Demographic (Address/ZIP, Date of Birth, Drivers License, Name, SSN, Other Identifier)
    • Financial (Claims Information, Credit Card/Bank Acct#, Other Financial Information)
    • Other (must complete a free text description)
  • Brief Description of the Breach
  • Safeguards in Place Prior to Breach (None, Privacy Rule Safeguards, Security Rule Administrative Safeguards, Security Rule Technical Safeguards, Security Rule Physical Safeguards)
  • Individual Notice Provided Start Date
  • Individual Notice Provided Projected/Expected End Date
  • If Substitute Notice was required (yes or no)
    • If yes (Fewer than 10 or 10 +)
  • If Media was notified
    • If yes, Select the State(s) or Territories which medical notice was provided
  • Actions were taken in response to breach
    • Adopted encryption technologies
    • Changed password/strengthened password requirements
    • Created a new/updated security rule risk management plan
    • Implemented new technical safeguards
    • Implemented periodic technical and nontechnical evaluations
    • Improved physical security
    • Performed a new/updated security rule risk analysis
    • Provided business associate with additional training on HIPAA requirements
    • Provided individuals with free credit monitoring
    • Revised business associate contracts
    • Revised policies and procedures
    • Sanctioned workforce members involved (including termination)
    • Took steps to mitigate harm
    • Trained or retrained workforce members
    • Other (must describe)
  • Name of individual completing the submission

If you are not collecting all these data points each time you are completing an investigation, you run the risk of not having all the accurate data and potentially have to repeat the investigation. Create a process that assures collection of all required data elements needed for breach reporting up front so you don’t have to repeat work and run the risk of extending past the 60-day investigation and notification timeline!

In addition to collecting information for reporting purposes, you must also collect data as your ‘burden of proof’. The administrative component of the HIPAA Breach Notification requirements states that covered entities and business associates have to maintain documentation demonstrating that an investigation took place and the outcome of the investigation. The following is the documentation that needs to be maintained.

If a breach occurred, the covered entity must maintain documentation that shows all notification were made and who they were made to, the date of the notification and the content of the notification. If alternate notification occurred, the covered entity should document the type of notification and to which individuals that notification was provided to.

If a breach did not occur, but an investigation was completed, a covered entity needs to maintain documentation of the breach risk assessment, documentation on why the decision was made of a low probability that the information was compromised occurred, and the application of any of the breach notification exceptions and why the exception applied.

Don’t get in the habit of doing duplicate work – collect all the data elements up front. Check out the new and improved Data Breaches Impacting Greater than 500 Individuals website.

Prepare, Document, and Take Action!