How to Avoid Unnecessary Breach Reporting episode artwork

EPISODE · May 26, 2020

How to Avoid Unnecessary Breach Reporting

from Info Risk Today Podcast · host InfoRiskToday.com

Healthcare organizations need to diligently assess whether a security incident involving patient information truly qualifies as a reportable breach under HIPAA to avoid needlessly reporting it to federal regulators, says regulatory attorney Helen Oscislawski.

Episode metadata supplied by the publisher feed · Published May 26, 2020

Healthcare organizations need to diligently assess whether a security incident involving patient information truly qualifies as a reportable breach under HIPAA to avoid needlessly reporting it to federal regulators, says regulatory attorney Helen Oscislawski.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

How to Avoid Unnecessary Breach Reporting

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

What are the potential consequences when healthcare sector entities make mistakes or miscalculations when filing health data breach reports to government regulators? I'm Marianne Colbusak-McGee, executive editor at Information Security Media Group. Today I'm speaking with privacy and security attorney Helen Aschoslowski, a law firm attorney at Aschoslowski LLC, about breach reporting mistakes that healthcare sector entities should avoid making. So Helen, most carbon entities and business associates will say that they strive to be compliant with federal HIPAA and state regulations related to health data breach reporting, but I understand that you've also observed that entities unnecessarily sometimes report incidents as data breaches.

And if they do that, they might end up facing a variety of negative potential consequences that they should have avoided. Please explain. Yes, that's right Marianne. We can't tell from the actual reports that are listed on HHS portal.

We can't go into the minds of, you know, what those reporting parameters were and what criteria the organization leaned on to make a determination. So I don't want to suggest at all that the ones that have been reported necessarily were wrongfully done so, but through my experience over 10 years and I represent and advise many, many different clients and hear many, many different stories and observe many processes and I know that the analysis process is not always completely clear to organizations and they may not be aware of the drill down that's completely necessary to evaluate an incident and give rise to, whether that incident gives rise to actual notification and reporting obligations under the breach notification rule standards because those are quite specific. You know, I've observed this and I want organizations out there to know that when you come across this incident that you need to take a look at the facts and the circumstances and keep in mind that ultimate standard that reporting notification is only really required when there is a more than a low probability that the protected health information has been compromised. Whether or not something has been compromised is yet another legal standard requiring the evaluation of four factors that HHS has laid out in the rule including taking a look at the nature and extent of the PHI involved.

Could an unauthorized person is on the other end who has received the information or gained access to the information whether the PHI was actually acquired and viewed and to the extent to which the risks to that information have been fully mitigated and if you go back into the preamble to the breach notification rule which came wrapped up together in the omnibus rule with high-tech amendments there's quite a robust discussion that HHS has there in how to evaluate those factors. You know, spend a couple pages on the preamble and it's quite instructive in letting us know what kind of factors they look at. So not many organizations go back into the preamble and take a look at those sort of tests and how those are applied but it's very helpful in knowing how HHS use those criteria because as you mentioned what this whole interview is about if you can justify or you can demonstrate that there is a low probability based on those factors and those analysis then it may very well be that you don't have to report an incident because it does not rise to the level of a legal breach which of course if you do report there are a number of consequences that flow from that. So Helen what's a common example of data security incidents that get reported as HEPA breaches but might not necessarily rise to the level of a HEPA breach and what are some of the possible unnecessary consequences that an organization could face if they do report something as a breach but it really isn't.

Of course the scenario could run the gamut. These are always fact sensitive but let's take an example that was recently in the news not just recently but has been in use with employees that are in your organization. We hear a lot or have often heard about employees that might snoop go into records. Sometimes they do it just because they're curious.

Sometimes there is a more personal reason I come across stories where employees have went into records that they're not authorized to go into because they have a family member or someone else that they have an interest in knowing about their medical treatment or why they're in the hospital or what not. So there could be a gamut of reasons why an employee goes into records none of which are permissible. In fact it's important to note that even though the HIP enforcement piece and HIPAA compliance enforcement piece by OCR really goes to the organization level and a person who's been going into records cannot be assessed civil monetary penalties that always goes to the organizational level but these actions do have a potential criminal liability here and there have been employees across the nation that actually have been prosecuted for exactly those kind of sweeping things probably most famously going into records where there's a famous individual or a prominent individual that has been going in. So you think it's never good but to give your example to answer your question as an example there could be a situation theoretically that somebody accessed a record say or two with its accidental of course and they didn't intend to do it and that is revealed during that investigation that actually would not constitute a breach.

There's three say parbors under the breach notification rule so an inadvertent access would not be reportable but if you do go past and it's not an inadvertent access if they explain to you during investigation that look you know I went in I was just looking around for examples because I had a case like this there could be a period of explanations that an employee can give you for why they were accessing medical records for which they did not have any real clinical or need to know reason and as I said it was very fact specific but if the explanation seems innocuous enough if you will and the employee is completely cooperative and the employee has not further disclosed that information to anybody. Even though that access could constitute an incident or a breach since there's a low probability that that information was been compromised because the employee is cooperative the employee made out gave an explanation which was not one that should cause concern and if you can get the employee to sign a statement as HHS has explained in its preamble a statement saying you know confidentiality statement saying access I agree not to disclose or re-disclose this information anyway then you might be able to determine it's been fully mitigated and you would not have to report that incident so there's one kind of an example and there are many many examples like that and it is of course again fact sensitive but the consequences for not going through that thorough analysis and going through all those for problems is that any incident that is reported to the breach portal on the Secretary of HHS's website any reported breach will be investigated there will be a HIPAA compliance review conducted by OCR in fact take a look at the whole entire list of settlement agreements that have been reached between entities and OCR I think nearly half of them have resulted from self-reported breaches so you will if you do self-reported breach understand that you will be there will be a HIPAA compliance review and that could extend not only to investigating the facts surrounding the incident but also could extend and begin to extend to other aspects of your compliance program and of course your name will also have just 500 more your name will appear on HHS's website so of course that wall of shame as everybody calls it it puts your organization in a bad light of course with public publicity perspective that's never good but there's also a final consequence that the reporting not only to HHS but if there's a notification that also follow to the individuals who are affected by that incident if you are again applying that same standard and if it doesn't really rise to a high probability or more than a low probability that the PHI has been compromised you are not notifying individuals of an incident that may not really be compromising their information that could invite them to seek out an attorney to evaluate the situation and potentially sue which has been you know the case in many cases even if there's arguably no real underlying wrongdoing by the organization because you know they'll proceed because they know that they can't be able to possibly get a settlement out of it which is a good thing because there's a lot of consequences and again all the more important why you understand the full gamut of the analysis and there's a judgment call at the end you know I don't want to downplay and try to prevent organizations from submitting notices but it's indeed given in the settlement agreements with OCR there are a number of them where OCR has actually packed on so we're not going to tell you kind of piece four failure to notify or for delayed notification of breach notification so the main point is understand the variables understand the problems understanding analysis go through it document show your burden of proof and make a determination which end in which way you need to come on so Helen what about ransomware attacks the Department of Human Services Office for Civil Rights has previously issued guidance saying that in most cases ransomware is a reportable heap of breach what's your take on this especially as we see ransomware attacks evolving where there aren't necessarily just you know data and systems that are being encrypted but sometimes these attackers are also exfiltrating data yeah the exfiltration really puts it into the whole entire bucket but you know as you alluded to or you know there was a guidance document on ransomware specifically issued I think at this point a couple years back but the ransomware fact she among other things that goes into whether or not the ransomware attack is a breach and in one of the Q&A sections in one of the section five actually I want to point out that both here itself says the presence just near the real presence of ransomware malware on a covered entity or business associate's computer system it's first considered a security incident okay under the rule and they acknowledge that a deeper analysis needs to be undertaken as well even in those circumstances you know the same test the same legal test the same analysis needs to be undertaken just like any other situation it is going to be fact specific and the OCR points out that that deeper analysis must take place and should involve evaluating whether or not there is a legal breach or a breach as defined under the breach notification rule as a result of that security incident and they say that you know the presence of ransomware in and of itself may or may not rise to the level of impermissible disclosure now you are losing control of the information so that's an issue and it's fact specific so for example can you contain the ransomware and segregate that from the rest of your system can you contain it where the attackers have no way of extracting the information do you have a mirror set of information meaning that you have a backup that you can work off of where the primary data that's been captured is not material to your further operations and your operations going forward so all of these things again will depend on the facts and as in the ransomware the guidance document they said very specifically I'm quoting whether or not the presence of ransomware would be a breach under HIPAA rules that a fact specific determination a breach is defined as the acquisition access use disclosure of phi in a manner not permitted under the privacy rule which compromises the security or privacy of phi so you're right in most cases you know it's often going to beat up the fact that the ransomware attacks will rise to level of breach but there absolutely could be circumstances where they do not again depending on if it's contained it's not extracted so and so forth so and of course if they're don't rise to that level then they would not be reportable as well so Helen as we're dealing with the covid-19 crisis are there potential covid-19 related privacy and security incidents that you think could happen but aren't necessarily reportable breaches are there certain common circumstances that health care entities are facing right now that they should really do a careful analysis of before they decide that yes we should report this as a breach or maybe we shouldn't in this situation I actually wanted to go to the flip side which is to remember that the process of the covid-19 emergency doesn't actually suspend other aspects of HIPAA compliance and HHS has had to come out and as the eye has come out to remind us of things like media but there was just recently last week that guidance document on media because we can imagine that the story is inherently important to cover which have compelled a number of individuals go inside the hospital to bring media in or share with media information that extends too much by one case in New York or allegedly a video happens to it with a media group there's institutions where they wanted to bring media into the emergency room there's been a myriad of things that are all over the news and stuff we can hear and imagine it seems important to want to share that story but patients privacy is just as important and we can't presume that everybody agrees to have their information served with media without first getting their approval authorization that includes having immediate to enter departments or locations in the hospital where there are a number of patients receiving services that might not necessarily be amenable to having the media there during those times so if you remember that that was an incident that has been used telemedicine also we saw the waiver that was issued and while they've waiver are exercising enforcement discretion with regard to providers using telemedicine applications without potentially say a BAA in place because in the interest of getting things up and running in time that does not necessarily completely eliminate a need to do some screening for security and if an incident does happen that certainly might be reportable so you know portion is might be more prudent to give under those circumstances to remember that breaches in this case might be reportable depending on the fact and circumstance that the law does that before still apply so if you have an incident even if it's related to COVID-19 you need to go through the breach risk analysis go through the four-factor test and determine whether or not it's reportable but it's still the presence of the COVID-19 emergency does not somehow eliminate the need to go through that analysis when an incident does occur. Thanks Helen. I've been speaking to attorney Helen Auschwitz-Loski.

I'm Mary Ann Kolbasak McGee of Information Security Media Group. Thanks for listening.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on May 26, 2020.

What is this episode about?

Healthcare organizations need to diligently assess whether a security incident involving patient information truly qualifies as a reportable breach under HIPAA to avoid needlessly reporting it to federal regulators, says regulatory attorney Helen...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!