[ Thursday, July 12, 2018 ]
Jeff [10:55 AM]
Miss me? Sorry, took some vacation time, then had to dig out at work before hitting the blog.
While I was away, I did get an interesting email question from a lawyer in the Kansas City area:
I advise a company that routinely enters into BAAs; in doing
so my colleagues and I try to limit reporting requirements for security
incidents that do not rise to the level of breaches of unprotected PHI,
especially security incidents consisting merely of unsuccessful pings.
I just read your post at this link -- https://hipaablog.blogspot.com/search?q=ping
-- in which you indicated, “Since reporting pings is required, I now
include it in my BAAs, but minimize the reporting to the barest minimum to
still comply with the regulations: a minimal number of reports (no more often
than quarterly), with minimal information…”
I had thought that security incidents had to be reported
within 60 days of discovery [per § 164.410 (a) as referenced by § 164.314
(a)(2)(i)(C) ] or does the 60 days “as required by § 164.410” apply only to the
last phrase -- “breaches of unsecured protected health information” – and not
to the entire sentence – “Report to the covered entity any security incident of
which it becomes aware, including breaches of unsecured protected health
information as required by § 164.410“?
If security incidents are subject to the 60 day rule,
wouldn’t quarterly reporting fall short for those security incidents that
happened within the last quarter, but more than 60 days ago? Or is my
reading missing something?
Thank you for your thoughts on this.
Well, here's my thoughts:
There are 3 different concepts
to keep in mind here, that occasionally overlap in fact and even more often
overlap in casual consideration of things HIPAA.
First, you’ve got your generic
“HIPAA breach.” That’s basically any breach of the obligations or
requirements of HIPAA. Don’t have good policies and procedures? If
you’re a covered entity, that’s a HIPAA breach. Fail to give a patient a
NoPP? HIPAA breach. Sell your patient data to a marketing company
without patient consent and appropriate disclosure? HIPAA breach.
All of HIPAA, statutes and regs, could be the basis for a HIPAA breach.
Next, you’ve got a “breach of
unsecured PHI.” These are defined in and restricted to the provisions of
Subpart D of Part 164 (i.e., 45 CFR 164.400 – 414, or “the 400 series”).
That would be an (i) improper (ii) acquisition, use, access or disclosure of
(iii) unsecured PHI that (iv) compromises security or privacy. Loss of an
unencrypted laptop, misdirected emails, or a data-stealing hack would all be
breaches of unsecured PHI (assuming that the PHI is, in fact, unsecured and the
incident does compromise the security or privacy of the PHI (i.e., there’s more
than a low probability of compromise). Selling patient data to a
marketing company is a breach of unsecured PHI (and also a HIPAA breach), but
failure to have good policies and procedures or give patients NoPPs would not
be a breach of unsecured PHI (although they would be HIPAA breaches).
Finally, you’ve got “security
incidents.” These are governed by subpart C, or the 300 series (45 CFR
164.302 -- 318), which only applies to electronic PHI. This is the
broadest definition, which is unfortunate: any attempted or successful
unauthorized access, use, disclosure, modification or destruction of
information or operation interfaces within an information system. Since
it includes “attempted,” any ping is a “security incident.” The BAA
provisions require the BAA to say that the BA will report ANY security incident.
So, a BA should be reporting every ping. It seems that any breach of
unsecured PHI, if it involved electronic PHI, would also be a security
incident, since it would be an unauthorized access or disclosure; however,
theoretically a breach of unsecured PHI involving paper records only would not
be a security incident, since the information is not electronic or in an
information system (and the Security Rule only applies to electronic PHI).
So, let’s talk about reporting
requirements. As noted, security incidents have reporting obligations
within the context of the BAA: the BA must report them to the Covered
Entity. There is also a reporting obligation with respect to breaches of
unsecured PHI, but it’s a different reporting obligation and serves a different
purpose. Security incident reports are in the context of the subservience
of the BA to the CE; breach of unsecured PHI reporting was designed to track
the “data breach reporting” obligations first instituted by California state
law on all data processors and possessors. That data breach reporting
obligation is intended to put the general public on “fair notice” if a business
suffers a data breach that actually could be more damaging to the customer
(whose data is exposed) than the business that lost it. A company
suffering a data breach could be totally blameless: it may have used the best
available security, but some bad actor committed criminal acts and got the
data. But it is still obligated to report. Thus, data breach reporting,
like security incident reporting, does not necessarily indicate that the
reporting entity did anything wrong. HIPAA breaches don’t have any
specific reporting requirements (unless they are also a security incident or a
breach of unsecured PHI), but if there’s a HIPAA breach, there almost certainly
blame. All subpart D references are
solely to breaches of unsecured PHI. Take a look at 164.410: upon
discovering a breach of unsecured PHI, the BA must report it to the CE (not to
the affected individual, not to OCR) within 60 days; the CE then carries on the
obligation to report to affected individuals. Also, note that it doesn’t
matter if the breach had anything to do with the BA. If the BA finds the
CE’s unsecured PHI being offered on the Dark Web, even though the BA had
nothing to do with it, the BA still has to report it. That tracks,
because reporting breaches of unsecured PHI is about passing along information
(ultimately to the affected individual, since that’s the next obligation once
the BA reports to the CE), not about laying blame (at least not
necessarily). Finally, note that this is only relating to breaches of
unsecured PHI, not HIPAA breaches or security incidents. Section 164.314,
on the other hand, relates to security incidents. This also requires the
BAA to include an obligation on the BA to report ANY security incident,
including a breach of unsecured PHI (presumably this only refers to breaches of
unsecured PHI that are also security incidents; however, since 410 already
requires reporting of all breaches of unsecured PHI, whether they are or aren’t
security incidents, there’s really no need for the regs to reiterate that
here). Note that the 314 reporting obligation (security incidents) does
not contain a timing requirement, whereas the 410 reporting obligation (breach
of unsecured PHI) does.
Thus, if it’s a security
incident, it must be reported by the BA to the CE, but there’s no timing
obligation; if it’s a breach of unsecured PHI, then it must be reported by the
BA to the CE within 60 days. If it’s both, then presumably both reporting
requirements apply, and thus the 60-day notice requires. I don’t see how an unsuccessful
security incident could be a breach of unsecured PHI (if it’s the latter, it
must’ve been successful). Thus, requiring reporting of unsuccessful
security incidents without a timeline would be OK, because it would meet the
obligations under 314 while not being subject to the obligations of 410. Let me know if you disagree.
Blogger: HIPAA Blog - Edit your Template