BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Anatomy of a HIPAA breach

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 11 Nov 2015 19:54:40 -0700
http://vegasinc.com/news/2015/nov/11/anatomy-of-a-hipaa-breach/

More and more companies are focusing on HIPAA compliance, with good reason.
The law was strengthened in recent years to create tougher penalties when
information is shared or disclosed illegally, and the analysis required to
determine when a disclosure constitutes a breach has also changed. Given
these recent changes to the law, and the high stakes nature of HIPAA
compliance in general, it’s a good time to review procedures for
recognizing, analyzing, and responding to a beach.

The Health Information Technology for Economic and Clinical Health Act
(HITECH Act) and subsequent regulations have changed several aspects of
compliance with the Health Insurance Portability and Accountability Act of
1996 (HIPAA), including the way covered entities should think about misuses
of Protected Health Information (PHI).

HIPAA requires covered entities to conduct a thorough, good-faith analysis
to determine whether misuse rises to the level of a breach. A “breach” is
the unauthorized acquisition, access, use or disclosure of unsecured PHI
which compromises the security or privacy of such information.

A breach contains the following elements: (1) an unauthorized acquisition,
access, use, or disclosure; (2) of unsecured PHI; (3) resulting in an
impermissible disclosure under the privacy rule; (4) that compromises the
security or privacy of such PHI; and (5) to which an exception does not
apply.

Under the final regulations issued by HHS, the concept of what
“compromises” the security or privacy of PHI has changed. Under 2009
interim regulations for the HITECH Act, a breach occurred only if there was
a significant risk of financial, reputational or other harm to the
individual. The 2013 final regulations remove this “harm standard” and
instead require a four-part risk assessment intended to focus on the risk
that PHI has been compromised in a more objective way.

The 2013 regulations provide that a covered entity must presume that an
acquisition, access, use or disclosure of PHI in violation of the privacy
rule is a breach. This presumption holds unless the covered entity
demonstrates that there is a “low probability” that the PHI has been
compromised based on a risk assessment which considers at least the
following factors: 1) the nature and extent of the PHI involved, including
the types of identifiers and the likelihood of re-identification, 2) the
unauthorized person who used the PHI or to whom the disclosure was made, 3)
whether the PHI was actually acquired or viewed, and 4) the extent to which
the risk to the PHI has been mitigated.

The nature and extent of the PHI involved

Covered entities should consider whether the disclosure involved PHI that
is of a sensitive nature, including the types of identifiers and the
likelihood of re-identification. Social Security numbers would be
considered sensitive. Entities should consider the likelihood that someone
could suffer financial or reputational harm based on the information.

The unauthorized person who used, accessed or received the PHI

The second factor requires covered entities to consider the unauthorized
person who impermissibly used the PHI. Entities should consider whether the
unauthorized person is trained in HIPAA compliance, has obligations to
protect the privacy and security of the information, has a track record of
protecting similar information, and can be obligated to return it. This
factor should be considered in combination with the first factor regarding
the risk of re-identification.

Whether the PHI was actually acquired or viewed

The third factor requires covered entities to analyze whether the PHI was
actually acquired or viewed or, alternatively, if only the opportunity
existed for the information to be acquired or viewed. Entities may have the
technology to confirm that information was unviewed, or they may be able to
lock a lost cell phone or destroy files remotely in order to protect
themselves under this factor.

The extent to which the risk to the PHI has been mitigated

Finally, covered entities must consider the extent to which the risk to the
PHI has been mitigated. If the PHI is no longer in the entity’s possession,
factors such as how easily it can be duplicated should be considered.

With high-profile data breaches on the rise and increased scrutiny by HHS,
employers and other entities subject to HIPAA should review these new
guidelines and revise their HIPAA policies and practices accordingly.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: