HIPAA Breach Reporting: Focus on Remediation in Responding to an HHS/OCR Investigation
Last year was another banner year for HIPAA data breaches reported to the Department of Human Services Office of Civil Rights (HHS/OCR), and the reporting period hasn’t yet closed, as organizations experiencing breaches affecting fewer than 500 individuals have until 60 days after the end of the calendar year in which the breach occurred to make the report. For 2018, that deadline is March 1, 2019. Covered entities that have not yet reported breaches should do so promptly via the agency’s online reporting portal.
When is reporting required?
Under HIPAA, covered entities must report to HHS/OCR any unauthorized “acquisition, access, use, or disclosure” of protected health information (PHI). A breach may occur even if the PHI was neither viewed by an unauthorized person nor removed from the covered entity’s network or facility. For example, a breach may occur if the information was simply encrypted in a ransomware attack. A breach is presumed unless there is a low probability that the PHI was compromised in connection with the unauthorized disclosure.
What should I expect when I report to HHS/OCR?
Depending on the circumstances, HHS/OCR may take no action, or it may open an investigation, which could lead to the issuance of civil penalties. HHS/OCR’s approach depends on the incident and in many cases, the nature of the response. However, in any situation there are a number of steps that covered entities should consider taking when dealing with HHS/OCR. A few suggested action steps are noted below:
- Conduct an updated HIPAA security risk analysis. HHS/OCR requires organizations governed by HIPAA to perform such analyses in order to be compliant with HIPAA’s Security Rule. Following a breach, the organization should perform an updated security risk analysis, and if an organization’s security risk analysis is not current, HHS/OCR may require one to be completed. Consider performing a risk analysis before reporting as evidence of an ongoing commitment to compliance.
- Consult with a digital forensics firm. In breaches arising out of data security events, consider retaining a qualified and independent digital forensics firm to assist with evaluating the incident and confirm that the data environment is secure. A forensics firm may be able to help identify vulnerabilities as part of a broader risk analysis, and will bring an unbiased, independent perspective.
- Schedule and document regular audits of your technical system. Regular audits are required by the HIPAA Security Rule. Be sure to conduct these audits and document them. They can be handled internally or done in conjunction with a vendor.
- Review policies and procedures. Take the time to review your HIPAA policies and procedures, addressing both the Privacy Rule requirements and the Security Rule requirements. Determine if they need updating or revision and start that process.
- Reevaluate relationships with business associates. If the breach is a result of information handling by a business associate, confirm that appropriate Business Associate Agreements are in place, update those agreements if necessary, or consider the value of continuing the relationship with that business associate.
- Bolster your human firewall. Retrain employees as needed, and discipline or terminate employees who could be a liability. Implement frequent training of employees regarding the proper handling of PHI and how to identify social engineering attacks.
- Review your Incident Response Plan. Make sure to review your incident response plan and confirm that it is up to date. Consider retraining staff regarding the incident response plan if it has been a while since training was done.
When reporting breaches to HHS/OCR, organizations should be mindful of critical remedial steps which can demonstrate ongoing commitment to HIPAA compliance. Demonstrating a commitment to HIPAA compliance can help minimize the risk of an HHS/OCR investigation. In addition, robust HIPAA compliance can help avoid additional breaches in the long term.