Handling Security Breaches Under HIPAA: a Legal Perspective

by Brian D. Gradle, Esq.

If you were to ask health information managers for a one-word response to HIPAA, the majority of the replies would likely be “privacy.”However, simply because the compliance date for the final security rule (which was published by the government in February and applies to electronic information only) is not until April 2005 does not mean that HIM personnel can ignore security issues. Also not to be disregarded are the legal issues under the HIPAA privacy rule that can arise from breaches of security regarding protected health information (PHI).

“Appropriate” Safeguards Required

By way of background, the privacy rule does not contain specific requirements regarding security. Instead it simply includes the so-called “mini” security rule, which requires covered entities to have in place “appropriate” administrative, technical, and procedural safeguards to protect the privacy of PHI. Additionally, the privacy rule requires that a covered entity’s (CE’s) business associate contract include the requirement that the business associate (BA) use “appropriate safeguards” to prevent PHI use or disclosure other than as provided for by its contract.

Unfortunately for those who find comfort in precise and quantifiable standards, the Department of Health and Human Services (HHS) has stated that the “flexibility and scalability” of the privacy rule means that CEs need to analyze their own requirements, then implement safeguards that are appropriate to their particular environment. On the bright side, HHS noted that it does not require CEs to guarantee the safety of PHI against all “assaults.” According to HHS, the theft of PHI may or may not indicate a violation of the privacy rule, depending on the circumstances of the theft and whether the CE had reasonable policies in place to protect against such theft.

Security Breach Can Implicate Administrative Requirements

In addition to concerns that a security breach has violated a person’s privacy rights under “common law” and could result in a private lawsuit by the individual for damages, security breaches will likely implicate one or more administrative and other requirements under the privacy rule.

Sanctions. A CE must have in place (and apply) appropriate sanctions against members of the work force that fail to comply with the CE’s privacy policies and procedures (or with the privacy rule).

Training. A CE must train members of their work force to carry out their functions within the organization.

Mitigation. A CE must mitigate (to the extent practicable) any harmful effect that is known to the CE of a use or disclosure of PHI that is in violation of its policies or procedures (or the privacy rule) by the CE or its BA.

Business Associate Agreement. A BA that uses or discloses PHI in a manner that violates its BA agreement will have obligations imposed by the privacy rule-such as the duty to mitigate the harm caused by such use or disclosure- and may have other obligations imposed by the agreement, such as the duty to inform the CE that such a violation has occurred.

Security Scenarios

The following scenarios illustrate a few of the legal issues that can emerge from a breach in security regarding health information, followed by a brief description of a reasonable response to each breach. Such responses should include a correction of the cause of the failure to comply, as no civil penalties (which are financial in nature) may be imposed by the government under HIPAA on a CE that within 30 corrects days its failure to comply with the privacy rule.

Scenario one: A hospital discovers that the medical records of a VIP inpatient have been accessed by numerous members of its work force by bypassing certain IT firewalls that had been created to prevent such access.

Response: The hospital has an obligation to mitigate any harmful effect that has resulted from this access of PHI. This means that the hospital should, among other things, investigate the scope of the disclosure, including whether any information has been disclosed outside of the hospital, and to whom.

In addition, the hospital has an obligation to apply appropriate sanctions against the members of the work force who improperly accessed this PHI. Importantly, the privacy rule does not prescribe the sanctions that must be imposed, leaving that up to the discretion of the CE. Furthermore, the hospital should assess whether the bypassed firewalls represent appropriate technical safeguards, or whether they should be enhanced.

Scenario two: A recently hired medical records clerk at a psychiatric practice fails to secure the medical records in the medical records file cabinet on a Friday afternoon. That weekend, a group of painters who are painting the office see the records, make copies of them, and take them to a local restaurant that evening where they share them with other patrons. Upon hearing of this incident on Monday morning, the practice’s office manager realizes that the clerk failed to receive any training on security lock-up procedures for medical records, and that no policies or procedures have been prepared regarding work force training, mitigation of improper disclosures, or work force sanctions. No privacy official has been appointed by the practice.

Response: In this scenario, the practice is aware there has been disclosure of extremely sensitive PHI to the public. Moreover, the failure to maintain the security of the PHI can be traced to the practice’s failure to implement fundamental administrative requirements of the privacy rule. The practice needs to immediately recover all of the disclosed records, and to otherwise mitigate any harmful effects of the disclosure. Moreover, the practice should immediately commence HIPAA compliance efforts, starting with the designation of a privacy official who will initiate the training of work force personnel and the preparation of appropriate policies and procedures. In addition, given the sensitivity of the information and its public disclosure, it would be prudent for the practice to seek legal counsel.

Scenario three: A pharmacy benefit manager (PBM) serves as a BA to a number of employer-sponsored group health plans and to several health insurance companies. As required by the privacy rule, the PBM and the CE have entered into BA agreements. One morning, a customer service representative inadvertently faxes PHI to the wrong fax number. After realizing the mistake, the rep immediately notifies the PBM’s privacy official of the error.

Response: In this scenario, the privacy official of the PBM will need to take appropriate steps to mitigate any harmful effect that might result from the inadvertent disclosure. Typically, this would include retrieving the wayward fax, ensuring (to the extent possible) that the recipient has not otherwise used or disclosed the PHI, and counseling the employee on policies and procedures. If retraining on the use of the fax machine is appropriate, then such training should be conducted.

In addition, the privacy official should review the BA agreement with the CE whose PHI was disclosed to determine whether there are additional contractual obligations that the BA has assumed in addition to its obligations under the privacy rule. Such obligations could include notifying certain persons within the CE in the event of an inadvertent use or disclosure, such as the one described in this scenario.

Health information managers who have been focused on the privacy component of HIPAA must not lose sight of the ramifications of the “mini” security rule that resides within the privacy rule. Moreover, if a security breach does occur-whether limited to an inappropriate use within an organization or extending to a broad disclosure to third parties outside the organization-an organization must be able to respond quickly and effectively to the breach. As outlined above, such a response would include the mitigation of any harm caused by the breach, the imposition of appropriate sanctions, the training or retraining of work force members and BAs, and compliance with the terms of the agreement with the CE regarding such breaches.

Brian D. Gradle serves as counsel at Hogan & Hartson L.L.P. in Washington, DC and is an associate professor on the adjunct faculty of American University Law School. He can be reached at (202) 637-5664 or via e-mail at BDGRADLE@HHLAW.COM.