A Mobile Device Triggered a HIPAA Breach In Your Office…Now What?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://physiciansnews.com/2016/01/14/mobile-device-hipaa-breach/

In today’s health care environment, even the smallest practices have
integrated the use of mobile devices into their daily practices;
recordkeeping using laptops, tablets, and even cell phones has become a
norm, rather than an exception. This is no surprise, given the portability
and convenience of using such devices, which allow practitioners to access
patient records from wherever they are. What does this increased reliance
on mobile devices mean for practices’ efforts to protect protected health
information (“PHI”) in accordance with HIPAA’s rules?

Consider this scenario: last night, a diligent associate physician took
home a company-owned laptop to catch up on notes from yesterday’s patient
visits. Upon getting home, the physician parked his car on the street in
front of his home and went inside to have dinner with his family. After
dinner, he returned to his car to get the laptop and get to work, but, to
his surprise, his car had been broken into and his laptop bag had been
stolen. The physician immediately called the police and his Practice
manager.

What happens next?

Step 1: Conduct a Risk Assessment

The Practice must act immediately to determine if this HIPAA incident is,
in fact, a HIPAA breach. The impermissible use or disclosure of PHI is
presumed to be a breach unless the covered entity (i.e., the Practice)
demonstrates that there is a low probability that the PHI has been
compromised.

The first step is to conduct and document an assessment of the incident – a
“Who? What? Where? When? How?” type of analysis. This assessment should
allow the Practice to determine:

- the nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification, if the PHI was
de-identified;
- the unauthorized person who used the PHI or to whom the disclosure was
made;
- whether the PHI was actually acquired or viewed; and the extent to which
the risk to the PHI has been mitigated.

The results of this assessment are especially important because, if a
breach did take place, mandatory reporting requirements are triggered.
Again, a breach has taken place unless the practice can show (through the
above risk assessment) that there is a low probability that the PHI has
been compromised.

Step 2: Determine Who Must be Notified and How

If the Practice determines that a breach has taken place, it is responsible
for notifying the affected individuals, the Department of Health and Human
Services (HHS), and, in some cases, even the media.

Individual Notice

Affected individuals must be notified without unreasonable delay and in no
case later than 60 days after the date of discovery, in plain English
writing, by first-class mail or by email (if the affected individual has
agreed to receive such notices electronically). The notice must contain the
following, to the extent possible:

- brief description of the breach (again, a “Who? What” Where? When?”
analysis);
- description of the types of information that were involved in the breach;
- steps affected individuals should take to protect themselves from
potential harm;
- brief description of what the Practice is doing to investigate the
breach, mitigate the harm, and prevent future breaches; and
- contact information for the Practice.

Perhaps more important than being able to check off the “individual notice”
box on your practice’s Breach Notification Policy, this notice should serve
to reassure your patients. Yes, there was an impermissible use or
disclosure. Sure, the patients’ information may have been accessed.
However, the Practice has taken reasonable and appropriate steps to
investigate what happened and has begun acting to put into place measures
to prevent reoccurrence. The letter should highlight ways that the patient
can protect himself or herself. For example, you can provide information
about identity theft protection. Consider including information about
credit monitoring in order for patients to identify fraud and identity
theft, free fraud alerts that can be placed on affected individuals’ files
by contacting any of the nationwide credit reporting companies, and a
reminder to carefully review the explanation of benefits statements
received from insurers to detect any services not received by the patient;
finally, include information about how the patient can report identity
theft if he or she sees anything suspicious.

<!–nextpage–>

Government Notice

Government reporting requirements are dependent on the number of
individuals affected by the HIPAA breach. If the breach involved 500 or
more individuals, notice must be provided without unreasonable delay and in
no case later than 60 days after the date of discovery. A common
misconception is that only these large breaches must be reported to the
government. This is not true.

In the case of breaches affecting fewer than 500 individuals (think
misdirected emails, improperly sent information via fax, and improper
access to patient records), the best practice is to maintain a HIPAA breach
log so that you can easily report all of the breaches that took place over
the course of the year. These breaches must be reported no later than 60
days after the end of the calendar year in which the breach was discovered.
All government notice requirements can be satisfied by filling out the form
available at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
.

Media Notice

Like the required government notice, media reporting requirements are
dependent on the number of individuals affected by the HIPAA breach. If the
breach affected more than 500 residents of any state or jurisdiction, the
media must be notified without unreasonable delay and, again, no later than
60 days after the date of discovery. This notice is usually provided via
press release, containing the same information as was provided to the
affected individuals.

Step 3: Practice Review

So, you had a breach. You reviewed your policies and procedures related to
breach notification and you sent required notice to all who were required
to receive it under the regulations. You are not done. Maybe more critical
than following the Breach Notification Rule is conducting an assessment of
the breach so your Practice can learn from it – What happened? Why did it
happen? What changes need to be made to ensure that the Practice does not
experience a reoccurrence?

The best way to protect your Practice is to prevent the breach from
happening in the first place. Let’s consider the above hypothetical. What
could the Practice have done differently? With respect to portable devices,
you should pay particular attention to the following:

- It is best practice to ensure that devices have secure password
protection or other type of user authentication.
- The Practice should be able to remotely “wipe” a mobile device clean of
all PHI should it be lost or stolen.
- Consider anti-virus software to the extent that it is available for the
portable device (e.g., laptops) to protect the device from unauthorized
access.
- Consider encryption, which will make lost or stolen devices that much
more difficult to access.
- Have an action plan for devices that are no longer being used because an
employee left the Practice or because the device has been replaced for a
newer model. Note that this becomes a trickier issue when dealing with
personal devices with access to PHI as opposed to company-issued devices.

For a more comprehensive review of your Practice’s liability exposure, you
can use the tool available at:
https://www.healthit.gov/providers-professionals/security-risk-assessment-tool.
Once your Practice has conducted a practice-wide risk assessment to
identify your Practice’s security weaknesses, draft policies and procedures
on how protected health information will be used, stored, and shared.
Conduct HIPAA training at the time of hire and conduct practice-wide
education at least annually. Hold individuals accountable when mistakes are
made and re-educate whenever necessary. Finally, maintain a culture of
compliance to mitigate risk and reduce exposure to liability.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.