Get ready for HIPAA breach before it happens

HIPAA requires you have breach notification policies and procedures to ensure proper handling of a breach of unsecured protected health information (PHI). Do you have breach notification policies and procedures that comply with HIPAA, including the most recent changes that went into effect in 2013? Are you training your staff about how to handle suspected breaches? If not, you could end up like Skagit County in Washington, which agreed to a settlement with HHS that includes a $215,000 penalty and a three-year corrective action plan.

What happened?

The Skagit County Public Health Department assists individuals otherwise unable to pay for healthcare services. The Office for Civil Rights opened an investigation of Skagit County after receiving a breach report that individuals’ ePHI contained on receipts was inadvertently made publicly accessible on a web server. According to an HHS press release, Skagit County thought only seven individuals’ ePHI was involved but OCR’s investigation revealed 1,581 individuals were affected. The ePHI included information about testing and treatment of infectious diseases. HHS also indicated the OCR investigation found Skagit County noncompliant with HIPAA Privacy, Security and Breach Notification Rules.

OCR said Skagit failed to:

properly notify individuals when Skagit “knew or should have known” their ePHI was affected by the breach
implement policies and procedures to prevent, detect and address security breaches
have and implement policies and procedures compliant with the HIPAA Security Rule
provide security awareness and training to its staff, particularly those dealing with information security.

As a result of the OCR investigation, HHS and Skagit County entered into a resolution agreement requiring Skagit County to pay a $215,000 fine and institute a three-year corrective action plan. Skagit County must develop and get HHS approval for breach notification forms and substitute notice as well as policies and procedures concerning privacy, security, breach notification and hybrid entities. The county must also assess risks and implement security measures to reduce identified risks to “a reasonable and appropriate level,” train all workers, comply with reporting requirements and get documented assurances that its business associates will protect PHI.

Skagit must also investigate any allegation a worker hasn’t complied with privacy, security or breach notification policies and procedures and report violations (“reportable events”) to HHS within 30 days. Annual reports must be made regarding compliance with the corrective action plan.

Why is this important to you?

So why should a medical office be concerned about an enforcement action against a county government in Washington state? Former HHS deputy general counsel and acting general counsel, Paula M. Stannard, now a health care attorney with Alston & Bird LLP in Washington, D.C., says the Skagit case is the first time OCR actually alleged in a resolution agreement, in addition to breach, that the covered entity failed to provide notice required by the breach notification rules.

This case is also the first time OCR has sought enforcement against a local county government. Generally, when you think of HIPAA violations, “you think of private entities, health plans, providers—you don’t think about government entities,” says Chicago attorney Kimberly J. Kannensohn, of McGuireWoods.

Most importantly, Skagit County is a relatively small entity with only 118,000 residents according to the HHS press release. OCR is saying: “We don’t care how small you are, you are still dealing with personal health information and you need to have policies and technical safeguards and you need to train your employees,” explains Kannensohn. This is an important message for medical offices of any size. “OCR is serious about investigating and enforcing failure to comply by covered entities of all sizes and types,” agrees Stannard.

What should you be doing now?

A “compelling reason for a compliance policy is the cost of a corrective action plan,” explains Kannensohn. “The actual cost to Skagit County isn’t just the penalty. It goes so far beyond that,” she says. “If a covered entity is out of compliance and is required to agree to a corrective action plan, the administrative and regulatory burdens will be more significant than if the entity just complied in the first place.” So avoid Skagit’s fate by focusing on compliance now.

The lesson from the Skagit County case is “the importance of focusing on the basics,” says Stannard. The Skagit County corrective action plan requires it to develop and implement basic compliance policies and procedures that address privacy, security and breach notification. So it appears the entity didn’t already have compliant policies and procedures in place.

You need to make sure your medical office has taken all necessary steps to comply with privacy, security, and breach notification rules. First, HIPAA requires a covered entity to “perform a risk assessment, iterate all your security assets, figure out your vulnerabilities and reduce your identified risks to a reasonable and appropriate level,” advises Kannensohn. OCR won’t be expecting all entities to select the same method of compliance. The government allows some flexibility in how covered entities comply with these requirements. A small physician practice won’t be expected to hire a big nationally recognized firm to complete the risk assessment; a local consultant with sufficient IT experience may be sufficient in that case, says Kannensohn.

But at a minimum, to avoid the problems Skagit County encountered, all medical offices should have the following:

A risk assessment
A risk management plan (including policies and procedures and security measures) that reduces risks and vulnerabilities found in the risk assessment to a reasonable and appropriate level
A privacy officer
A security officer
A privacy policy
A security policy
A policy and protocol for addressing breaches and handling breach notification
HIPAA training for staff, including breach notification training.

What should you do if you find a breach?

There are several things you should do if you suspect a breach has occurred. Here’s an explanation of key steps you need to take:

Determine if there’s a reportable breach

Remember that under the new breach notification requirements, a breach is presumed reportable unless you complete a risk analysis that focuses on four factors:

Type and extent of PHI involved in the breach (type of information and how likely is it the information can be identified or linked to a person);
Who gained unauthorized access to the information;
Whether the information was accessed or acquired; and
What mitigation efforts were made.

Your personnel need to understand that every unauthorized disclosure must be investigated but not every unauthorized disclosure may be a breach, says Kannensohn. It’s the privacy officer or other designated individual that has to make that determination, she cautions. So tell staff they must bring suspected unauthorized disclosures or breaches to the privacy officer’s (or other appropriate person’s) attention. An employee shouldn’t assess the seriousness of it themselves.

Notify affected individuals, HHS and possibly media

Once a breach is determined, the covered entity must notify the affected individuals, the HHS Secretary and in some cases, the media. Notice to individuals must be by first class mail, or email if the individual agreed to email notices. If the entity doesn’t have up-to-date or complete information for the affected individuals, substitute notice must be used. For less than 10 people, that substitute notice could be other form of written notice or telephone notice. If there isn’t sufficient information to contact 10 or more of the affected individuals, the covered entity must give substitute notice either posted on its website for 90 days or publicized in major print or broadcast media where the affected individuals are likely to reside. Individual notice must be given no more than 60 days after the breach is discovered. If more than 500 individuals are affected, the covered entity must not only notify the individuals but also prominent media in the jurisdiction or State. The entity must also notify the Secretary of HHS, within 60 days if more than 500 individuals are affected or in an annual report (60 days after end of the calendar year) if less than 500 individuals are affected.

Include all required content in your notification

The breach notification rules set specific requirements for the contents of your breach notification. First and most importantly, make sure the notice is written in plain language. Make sure your notice tells the recipient:

What happened, when it happened and when it was discovered;
Types of PHI involved (e.g. social security number, name, date of birth, address etc.);
What the individual should do to protect self from harm;
What the covered entity is doing to investigate and mitigate the breach and prevent further breaches; and
How to get more information (toll free number, email address, website or postal address).

Implement lessons learned from Skagit County

In addition to these basic steps described above, there are two lessons specific to Skagit County’s breach notification case that you should keep in mind as well when handling breach notification:

Scope of breach: When you find a breach, “it’s essential you accurately determine the extent of the breach,” advises Kannensohn. Remember that the HHS press release says Skagit indicated only seven individuals were affected but OCR found 1,581 individuals had PHI affected by the breach.
Substitute notice: Stannard notes that the resolution agreement appears to indicate the Skagit failed to provide alternative notice for individuals they couldn’t reach by regular mail. OCR has emphasized that if you know individuals haven’t received notice of a breach by first class mail you must comply with substitute notice. “You and your business associates facilitating breach notifications must be sure to follow-up. If you have incomplete addresses, or some notices are returned as undeliverable, you need to be prepared to provide substitute notice in accordance with the Breach Notification Rule,” explains Stannard.

Terms of Skagit County corrective action plan

To give you an idea of what could be involved in a corrective action plan, here is a summary of the measures included in the Skagit County corrective action plan:

Skagit must develop and get HHS approval for the following:

a breach notification form
substitute breach notification to be published conspicuously in major print or broadcast media in the geographic area in which individuals not previously individually notified likely reside (or conspicuous posting on Skagit’s home page for 90 days)
accounting of disclosures procedure
hybrid entity documents (including compliance policies and procedures and safeguards requirements and sample business associate agreement)
risk analysis and description of risk management measures
policies and procedures for privacy, security and breach notification

The corrective action plan also requires Skagit County:

document implementation of hybrid entity and related safeguards policies and procedures
document satisfactory assurances from BAs that they will safeguard PHI
assess risks for ePHI held by covered health care components of Skagit County identified in its hybrid entity documentation
implement security measures reducing risks and vulnerabilities identified in risk assessment to a reasonable and appropriate level
train all workers with access to ePHI in privacy, security and breach notification rules (including new policies and procedures) and train new hires within 30 days of employment (workers must certify they received training)
review training annually and update to reflect changes in law
prohibit worker access to ePHI until they have been trained
comply with the following investigation and reporting obligations:
- Investigate any worker that fails to comply with privacy, security or breach notification policy or procedure and report to HHS any violations (“reportable events”) within 30 days, in writing (describe event and relevant policies and describe actions taken to address the issue, mitigate harm and prevent recurrence and sanctions imposed)
- Submit an annual report on the status of and findings regarding compliance with the corrective action plan. An annual report is due 60 days after the end of the reporting period (including a summary of security management measures, reportable events and status of corrective action, officer’s attestation that the report was reviewed and reasonable inquiry revealed it is accurate and truthful; the last annual report is due in the fourth year for the final year of the three year corrective action plan).
- Retain documentation relating to corrective action plan for six years

Get ready for HIPAA breach before it happens

training on demand

connect with us

recent articles

17 projects for the last quarter of 2023

Patient resources for Health Aging Month

Know the signs and risk factors for physician suicide

Is our wart lady here yet? Respecting patient privacy and dignity

What to do when a student forges a note from the doctor

Should I take a ‘dry’ promotion (without a raise)?

Make a good impression with your email closing

And you are … ? How to prepare your elevator speech

tools you can use

HIPAA compliance quiz for medical office employees

Employee safety briefing: Summer high temperatures

Model Policy: Substance Abuse and Fitness for Duty

Sample policy for a medical office on diversity, equity and inclusion

Model Policy: Office Temperature