[ Thursday, July 12, 2018 ]
Jeff [10:55 AM]
Miss me? Sorry, took some vacation time, then had to dig out at work before hitting the blog.
While I was away, I did get an interesting email question from a lawyer in the Kansas City area:
I advise a company that routinely enters into BAAs; in doing
so my colleagues and I try to limit reporting requirements for security
incidents that do not rise to the level of breaches of unprotected PHI,
especially security incidents consisting merely of unsuccessful pings.
I just read your post at this link -- https://hipaablog.blogspot.com/search?q=ping
-- in which you indicated, “Since reporting pings is required, I now
include it in my BAAs, but minimize the reporting to the barest minimum to
still comply with the regulations: a minimal number of reports (no more often
than quarterly), with minimal information…”
I had thought that security incidents had to be reported
within 60 days of discovery [per § 164.410 (a) as referenced by § 164.314
(a)(2)(i)(C) ] or does the 60 days “as required by § 164.410” apply only to the
last phrase -- “breaches of unsecured protected health information” – and not
to the entire sentence – “Report to the covered entity any security incident of
which it becomes aware, including breaches of unsecured protected health
information as required by § 164.410“?
If security incidents are subject to the 60 day rule,
wouldn’t quarterly reporting fall short for those security incidents that
happened within the last quarter, but more than 60 days ago? Or is my
reading missing something?
Thank you for your thoughts on this.
Well, here's my thoughts:
There are 3 different concepts to keep in mind here, that occasionally overlap in fact and even more often overlap in casual consideration of things HIPAA.
First, you’ve got your generic “HIPAA breach.” That’s basically any breach of the obligations or requirements of HIPAA. Don’t have good policies and procedures? If you’re a covered entity, that’s a HIPAA breach. Fail to give a patient a NoPP? HIPAA breach. Sell your patient data to a marketing company without patient consent and appropriate disclosure? HIPAA breach. All of HIPAA, statutes and regs, could be the basis for a HIPAA breach.
Next, you’ve got a “breach of unsecured PHI.” These are defined in and restricted to the provisions of Subpart D of Part 164 (i.e., 45 CFR 164.400 – 414, or “the 400 series”). That would be an (i) improper (ii) acquisition, use, access or disclosure of (iii) unsecured PHI that (iv) compromises security or privacy. Loss of an unencrypted laptop, misdirected emails, or a data-stealing hack would all be breaches of unsecured PHI (assuming that the PHI is, in fact, unsecured and the incident does compromise the security or privacy of the PHI (i.e., there’s more than a low probability of compromise). Selling patient data to a marketing company is a breach of unsecured PHI (and also a HIPAA breach), but failure to have good policies and procedures or give patients NoPPs would not be a breach of unsecured PHI (although they would be HIPAA breaches).
Finally, you’ve got “security incidents.” These are governed by subpart C, or the 300 series (45 CFR 164.302 -- 318), which only applies to electronic PHI. This is the broadest definition, which is unfortunate: any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or operation interfaces within an information system. Since it includes “attempted,” any ping is a “security incident.” The BAA provisions require the BAA to say that the BA will report ANY security incident. So, a BA should be reporting every ping. It seems that any breach of unsecured PHI, if it involved electronic PHI, would also be a security incident, since it would be an unauthorized access or disclosure; however, theoretically a breach of unsecured PHI involving paper records only would not be a security incident, since the information is not electronic or in an information system (and the Security Rule only applies to electronic PHI).
So, let’s talk about reporting requirements. As noted, security incidents have reporting obligations within the context of the BAA: the BA must report them to the Covered Entity. There is also a reporting obligation with respect to breaches of unsecured PHI, but it’s a different reporting obligation and serves a different purpose. Security incident reports are in the context of the subservience of the BA to the CE; breach of unsecured PHI reporting was designed to track the “data breach reporting” obligations first instituted by California state law on all data processors and possessors. That data breach reporting obligation is intended to put the general public on “fair notice” if a business suffers a data breach that actually could be more damaging to the customer (whose data is exposed) than the business that lost it. A company suffering a data breach could be totally blameless: it may have used the best available security, but some bad actor committed criminal acts and got the data. But it is still obligated to report. Thus, data breach reporting, like security incident reporting, does not necessarily indicate that the reporting entity did anything wrong. HIPAA breaches don’t have any specific reporting requirements (unless they are also a security incident or a breach of unsecured PHI), but if there’s a HIPAA breach, there almost certainly blame. All subpart D references are solely to breaches of unsecured PHI. Take a look at 164.410: upon discovering a breach of unsecured PHI, the BA must report it to the CE (not to the affected individual, not to OCR) within 60 days; the CE then carries on the obligation to report to affected individuals. Also, note that it doesn’t matter if the breach had anything to do with the BA. If the BA finds the CE’s unsecured PHI being offered on the Dark Web, even though the BA had nothing to do with it, the BA still has to report it. That tracks, because reporting breaches of unsecured PHI is about passing along information (ultimately to the affected individual, since that’s the next obligation once the BA reports to the CE), not about laying blame (at least not necessarily). Finally, note that this is only relating to breaches of unsecured PHI, not HIPAA breaches or security incidents. Section 164.314, on the other hand, relates to security incidents. This also requires the BAA to include an obligation on the BA to report ANY security incident, including a breach of unsecured PHI (presumably this only refers to breaches of unsecured PHI that are also security incidents; however, since 410 already requires reporting of all breaches of unsecured PHI, whether they are or aren’t security incidents, there’s really no need for the regs to reiterate that here). Note that the 314 reporting obligation (security incidents) does not contain a timing requirement, whereas the 410 reporting obligation (breach of unsecured PHI) does.
Thus, if it’s a security incident, it must be reported by the BA to the CE, but there’s no timing obligation; if it’s a breach of unsecured PHI, then it must be reported by the BA to the CE within 60 days. If it’s both, then presumably both reporting requirements apply, and thus the 60-day notice requires. I don’t see how an unsuccessful security incident could be a breach of unsecured PHI (if it’s the latter, it must’ve been successful). Thus, requiring reporting of unsuccessful security incidents without a timeline would be OK, because it would meet the obligations under 314 while not being subject to the obligations of 410.
Let me know if you disagree.
Blogger: HIPAA Blog - Edit your Template