In the daily shuffle of evaluating patients and focusing on the delivery of high-quality patient care, the importance of protecting patient information may get overlooked. Human error is just one possible way patient information can be compromised. Cybersecurity attacks are becoming more numerous and sophisticated every day, with the number of patient records compromised increasing. This trend is expected to continue as practices increase their use of digital technology and social media, and use patient information in ways never anticipated. As a result, practices need to take a proactive approach to safeguarding patient information.
What Is PHI?
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), identifiable patient information is referred to as protected health information (PHI). PHI is defined as individually identifiable health information that is transmitted or maintained by electronic media or in any other form or medium.
Individually identifiable health information is information (including demographic information) created or received by a covered entity and that relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual; and that identifies the individual, or with respect to which, there is a reasonable basis to believe the information can be used to identify the individual.
The general rule is that, except as expressly permitted or required by HIPAA, a covered entity may not use or disclose PHI without valid authorization. In certain circumstances, patient authorization is not required to disclose PHI, including:
- Disclosures required by law;
- Uses and disclosures for public health activities;
- Disclosures about victims of abuse, neglect or domestic violence;
- Uses and disclosures for health oversight activities;
- Disclosures for judicial and administrative proceedings or law enforcement purposes;
- Uses and disclosures about decedents or for cadaveric organ, eye or tissue donation purposes;
- Uses and disclosures for research purposes;
- Uses and disclosures to avert a serious threat to health or safety;
- Uses and disclosures for specialized government functions; and
- Disclosures for workers compensation.
To disclose PHI without patient authorization pursuant to one of the listed exceptions, the disclosure must satisfy each of the required elements permitting the disclosure. Failure to do so will result in an unauthorized use or disclosure in violation of HIPAA.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is the agency tasked with enforcing HIPAA. In April 2019, the maximum penalty for a HIPAA violation was reduced. Despite this, the OCR maintains an aggressive enforcement policy for privacy incidents, and investigations may take several years.
In addition to OCR investigations, increasingly more states are conducting their own investigations of security incidents that run afoul of state privacy laws and regulations.
Finally, although HIPAA does not afford victims a private cause of action, class action lawsuits filed under state and other federal laws by victims of security incidents are increasing.
Other Privacy Laws to Consider
1. State Laws
Many states now include medical information in their definitions of personal information. Thus, when analyzing a security incident involving patient information, state law must also be considered to ensure that notification, if necessary, to affected individuals and state regulators is provided in compliance with applicable laws. The laws and regulations of the affected individual’s state of residence control when determining notification obligations.
2. California Consumer Protection Act
California enacted the Consumer Privacy Act of 2018 (CCPA), in part as a response to revelations that Facebook data were shared with the political data firm Cambridge Analytica without users’ knowledge or permission. The law, which will be effective starting Jan. 1, 2020, imposes obligations on businesses that collect and process personal information on California consumers to give those consumers rights to access, delete and restrict certain uses of personal information, among other rights.
Many of the rights afforded to California residents parallel data subject rights found in the European Union’s (EU’s) General Data Privacy Regulation (GDPR). Like the GDPR, CCPA has a delayed enforcement date to allow affected businesses more time to come into compliance. Under CCPA, businesses must determine whether they are subject to the law, and take all necessary steps to come into compliance. The law does not authorize the attorney general to bring enforcement action until July 1, 2020, or until six months after the publication of final regulations pertaining to the law, whichever occurs first.
3. General Data Privacy Regulation
The GDPR is an omnibus data protection regulation that replaced the European Data Protection Directive 95/46/EC. The GDPR relates to the processing of personal data. Personal data means any information related to a natural person (a “data subject” in GDPR parlance) that can be used to directly or indirectly identify the person. This includes names, photos, email addresses, bank details, posts on social networking websites, medical information and computer internet protocol (IP) addresses.
The GDPR also includes specific provisions for sensitive personal data, or “special categories of data,” including passwords for access to information technology (IT) systems and websites, credit card details, Social Security numbers, passport numbers, and genetic and biometric data.
Data processing includes collecting, using, storing, disclosing and discarding.
The GDPR applies to all companies processing personal data of subjects residing in the EU. Specifically, it applies to organizations located within the EU, as well as organizations located outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
The GDPR requires entities that suffer data security breaches to notify the relevant data protection authority within 72 hours of discovery and to notify the affected subjects without undue delay. Data breach notification in the EU is a new requirement.
In the U.S., there is no general federal data breach notification law. Instead, whether notification is necessary depends on the state of residence of the affected individual and/or what information was compromised. Forty-eight states have data breach notification laws. And HIPAA has notification requirements for the compromise of protected health information. The already onerous requirements in the U.S. are further complicated by this GDPR requirement.
Steps Toward Compliance
Taking proactive measures now is the most effective way to minimize unauthorized uses or disclosures of PHI. At a minimum, your practice should:
- Nominate a privacy officer and security officer to be responsible for overseeing the development, implementation and maintenance of privacy policies and procedures for safeguarding PHI;
- Develop and implement a robust set of HIPAA policies and procedures;
- Regularly conduct a thorough review of existing HIPAA policies and procedures, and confirm those policies and procedures have actually been implemented and are effective. A written policy serves no purpose if it is not working or has not been implemented;
- Train workforce personnel on your policies and procedures and on common security incidents. Educate your workforce on how to identify a ransomware or phishing attack, and what action to take in the event of such an attack;
- Assemble an incident response team (IRT) and involve legal, IT and human resource representatives, among others;
- Draft an incident response plan (IRP). This will be your go-to document in the event of a breach. It should identify the IRT and clearly describe the decision-making process when handling security incidents;
- Test your IRT and IRP. This can be done by educating personnel and then testing your IRT on HIPAA compliance requirements. In addition, pose hypothetical security incidents to the IRT and have the team follow the IRP. Once completed, revise the IRP to overcome any shortcomings noted during the hypothetical scenario; and
- Perform a risk assessment, including penetration testing, of your computers, devices and electronic health record software.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney with McDonald Hopkins LLC. Contact him at [email protected].
Create an Incident Response Team & Plan
HIPAA requires all covered entitities—no matter how large or small—to plan how they would respond to security incidents (i.e., how they prepare for incidents, detect and analyze incidents, and respond to incidents). However, the scope of an incident response plan (IRP) will vary based on the organization size, and a smaller organization may have a less involved IRP (fewer decision makers, etc.), but it must still have some sort of IRP.
The first step: You must identify the members of your incident response team (IRT). Security incidents affect almost every component of an organization, and failure to properly manage an incident can result in both long- and short-term consequences. For that reason, the team should include executive decision makers in the following areas:
- Information technology;
- Risk management/insurance;
- Human resources;
- Public relations; and
- Compliance and internal audit;
- Physical security;
- Other executives, as appropriate;
- Third-party response services (e.g., forensics, privacy counsel, notification).
Small practices may not have personnel dedicated to each of these functions and may need to assign one person to cover multiple areas. Example: If your practice doesn’t have a dedicated marketing and public relations staff member, your office manager may be the best person to represent those functions on the team. Once your IRT is assembled, you should get to work on your IRP.
The IRP is your go to document, and it should:
- Identify members of the incident response team;
- Establish alternate members in the event someone cannot fulfill their obligations for whatever reason;
- Include contact information (work, cell, home) for team members;
- Establish and define roles and responsibilities of the team and its members in the event of a privacy breach;
- Identify and describe both internal and external capabilities;
- Include decision trees;
- Identify a notification/escalation process; and
- Include Incident Report Forms for gathering evidence and tracking the investigation.