Mark J. Fox (mfox@acc.org) is Privacy and Research Compliance Officer at American College of Cardiology in Washington, DC. Thora A. Johnson (tajohnson@venable.com) is a Partner at Venable LLP in Baltimore, MD.
Business associates perform functions on behalf of covered entities, such as health insurance issuers and most healthcare providers, that require the use and disclosure of protected health information (PHI).[1] The risk of a breach is real. A business associate that takes a proactive approach will allow both the business associate and the covered entity to respond more effectively and expeditiously under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule and other applicable federal and state law.
What must a business associate report to a covered entity
A business associate must report to its covered entities (1) security incidents of which it becomes aware, including a breach of unsecured PHI,[2] and (2) any impermissible use or disclosure of PHI of which it becomes aware, including breaches of unsecured PHI.[3] In order to effectively evaluate the need for notice from a business associate to a covered entity, it is important to understand the following definitions:
A “security incident” is “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”[4] An “information system” means “an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.”
An impermissible use or disclosure of PHI is any use or disclosure of PHI that is not permitted by the agreement with the respective covered entity (otherwise known as a business associate agreement).[5]
A breach of unsecured PHI is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted” by the privacy rule that compromises the security or privacy of the PHI.[6] PHI is deemed to be unsecured PHI when it is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by” the secretary of the U.S. Department of Health & Human Services, such as encryption.
Importantly, though, the definition of “breach” has exceptions. Specifically:
-
The “unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority”;
-
The inadvertent disclosure of PHI “by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates”; and
-
When the covered entity or business associate has “a good faith belief that an unauthorized person to whom the [impermissible] disclosure was made would not reasonably have been able to retain such information.”[7]
In both the first and second exclusion listed above, the information cannot be further used or disclosed in a manner not permitted by the HIPAA Privacy Rule.
Determination of breach based on a risk assessment
Outside of the exceptions from the definition of breach outlined above, any acquisition, access, use, or disclosure of PHI in a manner not permitted by the privacy rule is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
-
“The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
-
“The unauthorized person who used the protected health information or to whom the disclosure was made;
-
“Whether the protected health information was actually acquired or viewed; and
-
“The extent to which the risk to the protected health information has been mitigated.”
The role of the business associate in notification and risk assessment
Now that the definitions have been clarified, we need to consider the role of the business associate in notifications and risk assessment.
-
What is the time frame for business associate reporting of security incidents, impermissible uses and disclosures, and breaches of unsecured PHI?
-
How and to whom does the business associate provide the notice of the breach to the covered entity?
-
Does an exception to a breach determined by the business associate or covered entity apply?
-
Does the business associate or covered entity determine the security incident or impermissible use, or whether the disclosure rises to the level of a breach under the risk assessment?
-
Do the timelines align with other federal and state law reporting obligations, such as under state data breach laws?
-
Who is responsible for giving notice to individuals, the media, the U.S. Department of Health & Human Services Office for Civil Rights—the federal agency that enforces HIPAA—and other federal and state regulators?
Reporting from business associate to covered entity
The business associate agreement should clearly delineate roles and responsibilities relating to breach notification and response. HIPAA requires that a business associate notify affected covered entities of a breach of unsecured PHI without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.[8] In contrast, HIPAA does not define the time frame required for a business associate to report a security incident or an impermissible use or disclosure to the covered entity. In many instances, however, a security incident or impermissible use or disclosure may meet the definition of a breach of unsecured PHI, so it is critically important for the parties to determine the time frame for reporting. As such, covered entities typically require that all three events—security incidents, impermissible use or disclosure, and breaches—be reported promptly from the business associate to the covered entity, often within 72 hours, through contractual provisions in the business associate agreement. Of course, a security incident includes an unsuccessful event. A covered entity typically does not want to receive notice of every unsuccessful event, such as pings. To address this concern, the business associate and covered entity may negotiate provisions whereby the business associate agreement itself serves as notice of unsuccessful security incidents or a log of unsuccessful security incidents is provided upon request.
The notice of breach by the business associate to the covered entity must provide the following information:[9]
-
“A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
-
“A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
-
“Any steps individuals should take to protect themselves from potential harm resulting from the breach;
-
“A brief description of what the [business associate] involved is doing to investigate the breach, to mitigate harm to Individuals, and to protect against any further breaches; and
-
“Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.”[10]
Oftentimes, covered entities request the same information in notices of security incidents and impermissible uses and disclosures—and not just in terms of a breach—because the covered entity needs this information to determine whether a security incident or impermissible use or disclosure gives rise to a breach. At a minimum, the business associate must provide enough detail to the covered entity to compete the risk assessment, if that responsibility has not been delegated to the business associate under the business associate agreement.
The business associate agreement should include notice specifications, such as how (for example, email) and to whom (for example, to the privacy officer) the notice should be given.
Notice to affected individuals, media, and federal and state regulators
Similarly, a covered entity has to report a breach to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”[11] A frequently asked question by both covered entities and business associates is when the 60-day countdown starts. Does it start when the business associate discovers the breach, or when the covered entity is notified of the breach by the business associate? The preamble to the HIPAA Privacy Rule clarified that it depends on a facts and circumstances determination as to whether the business associate is the covered entity’s agent.[12] In the slightly more unusual case, if the business associate is an agent of the covered entity, the timeclock starts once the business associate discovers the breach. Otherwise, it begins when the covered entity is notified by the business associate of the incident giving rise to the breach.[13]
A covered entity may delegate the responsibility to send notices to affected individuals to the business associate. Therefore, the business associate agreement should clarify who is responsible for the required notices under HIPAA.
Moreover, there may be additional federal and state regulators to be notified, including state attorneys general—since each state has a breach notification law, each state law needs to be carefully analyzed to determine whether an incident requires notice to individuals and the applicable state attorney general—and departments of insurance (e.g., in accordance with the Insurance Data Security Model Law).[14] The state laws may have shorter reporting deadlines as well. Public companies may have an obligation to notify the U.S. Securities and Exchange Commission.[15]
When is a media notification required?
Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. This notification is often provided in the form of a news release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.[16]
Be prepared when, and if, a breach happens
Prudently, most organizations develop their breach response around the “when” situation versus the “if” situation. Business associates should ensure that they have a complete list of all of their covered entities who would require notification of a security incident or impermissible use or disclosure, whether it rises to a level of a breach or not. Contact information changes; a business associate should periodically update its covered entities’ contact information to ensure that notices are delivered.
Business associates should also be situationally aware of what their business associate agreement states regarding breach notification and response so that they are prepared to respond in the case of a breach. A business associate should have an incident response plans in place, and it is a best practice to exercise the plan to ensure it works effectively.
What can business associates do to be prepared
-
Keep a running list of their covered entities and periodically evaluate the underlying business associate agreements to understand the variability in obligations relating to notice (for example, reporting time frame) and incident response.
-
Periodically update the contact information for the individuals identified as the recipient of notice under their business associate agreements to make sure the information is accurate. Consider asking for a “privacy@” address to deliver such notices.
-
There may be variability in the covered entities’ risk posture—be prepared to discuss the risk assessment.
-
Be prepared to send supplemental notices as more information becomes available. Often, the business associate must provide notice in an extremely short time frame prior to completing the internal investigation. Providing supplemental notices provides covered entities with ongoing communication and new information necessary to complete risk assessment and make determinations on required notifications.
-
In instances where breaches involve multiple covered entities, consider developing a frequently asked questions document and making it available to affected covered entities.
-
In instances where the breach involves subcontractors, ensure there is collaboration with them during the response to ensure consistent messaging.
-
Be prepared for media contact and ensure that the incident response team includes public relations.
-
Ensure the breach response team is available for months after the initial notice.
-
Be prepared for a document request from the Office for Civil Rights and remember that the entire HIPAA program may be scrutinized.
-
Have an established relationship with the cyber liability insurance provider.
-
Be prepared to receive an influx of due diligence requests from covered entities if the event arises from a security incident.
-
Revisit the breach/incident response plan and privacy program to incorporate lessons learned from each response.
The more prepared a business associate is for providing notice, the smoother the process will be. Understanding the applicable federal and state notification obligations, maintaining a repository of business associate contracts, and having an incident response plan that takes into account the above factors will help a business associate be prepared and go a long way in helping to defuse a stressful situation.
Takeaways
-
Understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.
-
Review other applicable federal and state breach notification laws.
-
Catalog business associate agreements and understand variability in the time frames associated with notice.
-
Know the covered entities’ HIPAA privacy officers.
-
Incorporate valuable lessons from past experience.