In today’s health care environment, even the smallest practices have integrated the use of mobile devices into their daily practices; recordkeeping using laptops, tablets, and even cell phones has become a norm, rather than an exception. This is no surprise, given the portability and convenience of using such devices, which allow practitioners to access patient records from wherever they are. What does this increased reliance on mobile devices mean for practices’ efforts to protect protected health information (“PHI”) in accordance with HIPAA’s rules?
Consider this scenario: last night, a diligent associate physician took home a company-owned laptop to catch up on notes from yesterday’s patient visits. Upon getting home, the physician parked his car on the street in front of his home and went inside to have dinner with his family. After dinner, he returned to his car to get the laptop and get to work, but, to his surprise, his car had been broken into and his laptop bag had been stolen. The physician immediately called the police and his Practice manager.
What happens next?
Step 1: Conduct a Risk Assessment
The Practice must act immediately to determine if this HIPAA incident is, in fact, a HIPAA breach. The impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity (i.e., the Practice) demonstrates that there is a low probability that the PHI has been compromised.
The first step is to conduct and document an assessment of the incident – a “Who? What? Where? When? How?” type of analysis. This assessment should allow the Practice to determine:
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification, if the PHI was de-identified;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.
The results of this assessment are especially important because, if a breach did take place, mandatory reporting requirements are triggered. Again, a breach has taken place unless the practice can show (through the above risk assessment) that there is a low probability that the PHI has been compromised.
Step 2: Determine Who Must be Notified and How
If the Practice determines that a breach has taken place, it is responsible for notifying the affected individuals, the Department of Health and Human Services (HHS), and, in some cases, even the media.
Affected individuals must be notified without unreasonable delay and in no case later than 60 days after the date of discovery, in plain English writing, by first-class mail or by email (if the affected individual has agreed to receive such notices electronically). The notice must contain the following, to the extent possible:
- brief description of the breach (again, a “Who? What” Where? When?” analysis);
- description of the types of information that were involved in the breach;
- steps affected individuals should take to protect themselves from potential harm;
- brief description of what the Practice is doing to investigate the breach, mitigate the harm, and prevent future breaches; and
- contact information for the Practice.
Perhaps more important than being able to check off the “individual notice” box on your practice’s Breach Notification Policy, this notice should serve to reassure your patients. Yes, there was an impermissible use or disclosure. Sure, the patients’ information may have been accessed. However, the Practice has taken reasonable and appropriate steps to investigate what happened and has begun acting to put into place measures to prevent reoccurrence. The letter should highlight ways that the patient can protect himself or herself. For example, you can provide information about identity theft protection. Consider including information about credit monitoring in order for patients to identify fraud and identity theft, free fraud alerts that can be placed on affected individuals’ files by contacting any of the nationwide credit reporting companies, and a reminder to carefully review the explanation of benefits statements received from insurers to detect any services not received by the patient; finally, include information about how the patient can report identity theft if he or she sees anything suspicious.
Government reporting requirements are dependent on the number of individuals affected by the HIPAA breach. If the breach involved 500 or more individuals, notice must be provided without unreasonable delay and in no case later than 60 days after the date of discovery. A common misconception is that only these large breaches must be reported to the government. This is not true.
In the case of breaches affecting fewer than 500 individuals (think misdirected emails, improperly sent information via fax, and improper access to patient records), the best practice is to maintain a HIPAA breach log so that you can easily report all of the breaches that took place over the course of the year. These breaches must be reported no later than 60 days after the end of the calendar year in which the breach was discovered. All government notice requirements can be satisfied by filling out the form available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.
Like the required government notice, media reporting requirements are dependent on the number of individuals affected by the HIPAA breach. If the breach affected more than 500 residents of any state or jurisdiction, the media must be notified without unreasonable delay and, again, no later than 60 days after the date of discovery. This notice is usually provided via press release, containing the same information as was provided to the affected individuals.
Step 3: Practice Review
So, you had a breach. You reviewed your policies and procedures related to breach notification and you sent required notice to all who were required to receive it under the regulations. You are not done. Maybe more critical than following the Breach Notification Rule is conducting an assessment of the breach so your Practice can learn from it – What happened? Why did it happen? What changes need to be made to ensure that the Practice does not experience a reoccurrence?
The best way to protect your Practice is to prevent the breach from happening in the first place. Let’s consider the above hypothetical. What could the Practice have done differently? With respect to portable devices, you should pay particular attention to the following:
- It is best practice to ensure that devices have secure password protection or other type of user authentication.
- The Practice should be able to remotely “wipe” a mobile device clean of all PHI should it be lost or stolen.
- Consider anti-virus software to the extent that it is available for the portable device (e.g., laptops) to protect the device from unauthorized access.
- Consider encryption, which will make lost or stolen devices that much more difficult to access.
- Have an action plan for devices that are no longer being used because an employee left the Practice or because the device has been replaced for a newer model. Note that this becomes a trickier issue when dealing with personal devices with access to PHI as opposed to company-issued devices.
For a more comprehensive review of your Practice’s liability exposure, you can use the tool available at: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool. Once your Practice has conducted a practice-wide risk assessment to identify your Practice’s security weaknesses, draft policies and procedures on how protected health information will be used, stored, and shared. Conduct HIPAA training at the time of hire and conduct practice-wide education at least annually. Hold individuals accountable when mistakes are made and re-educate whenever necessary. Finally, maintain a culture of compliance to mitigate risk and reduce exposure to liability.
By Jennifer B. Cohen, Esq.
Jennifer Cohen is an associate attorney at The Health Care Group, Inc. and Health Care Law Associates, P.C. in Plymouth Meeting, PA.