How to Perform A Risk Assessment for a PHI Breach?
Data breaches in healthcare are a serious issue; let me clarify that statement. In the U.S., between 2017-2018, the numbers of healthcare records breached, tripled.
In 2019, we have witnessed major healthcare data breaches, including AMCA, which may have affected up to 25 million patients, and Dominion National which looks to have impacted around 3 million patient records.
Healthcare breaches are also the costliest of all data breach types.
A 2019 Ponemon and IBM report into the costs of a data breach, placed healthcare as the most costly at around $6.45 million, on average, per breach. Breach of protected health information (PHI) is a serious risk, but once you have been breached...what do you do next?
How to Make the Right Decisions After a Breach?
HIPAA sets out rules that must be complied with if an organization suffers a PHI breach. If you do not comply with those rules, large fines and even criminal charges, follow. Ignorance is not bliss under the rule of HIPAA.
Whether a breach was accidental, negligent or malicious, HIPAA compliance stands. The HIPAA Breach Notification Rule explains the details of what you must do once a breach is recognized. One of the most important and the first thing that you do is a risk assessment. This will give you the information you need to comply with the notification rule.
Breach assessment is based on levels of risk, e.g. low/medium/high. The process that you go through during a risk assessment allows you to understand the likelihood that the PHI was compromised. If there is a low probability of risk, you may not be required to make a breach notification. Other exceptions to the rule also exist and these should be reviewed as part of the process of risk assessment.
Risk assessment also allows you to know where to place resources and in the right area, to ensure you make pertinent decisions around security as well as notification.
HIPAA Risk Assessment 4-Part Plan
The HIPAA risk assessment 4-part plan is a starting point in developing your own tailored breach risk assessment process. This can be woven into your general security policy, as required.
Part 1 - Was PHI Exposed?
First things first - was PHI actually exposed? Seems like a strange question, but this needs to be established. One of the hold-ups in knowing if PHI was breached is data visibility. Data is everywhere.
Digitization of the organization has created a data behemoth that makes it hard to know what data you have, where it resides, and where it goes to. Unstructured data make this all the harder. Before you can assess if PHI has been breached you need to know what data you have (maybe this ePHI Audit Guide could help).
You can then establish if PHI was involved in the breach. Information Governance tools allow you to create a full picture of a breach. This includes the type of PHI breached and its sensitivity. You should also consider factors such as the traceability of the PHI back to an individual, and the protection applied to the PHI.
Part 2 - Exposure Across the Ecosystem
Part 2 looks at the scale of the breach. Under HIPAA, business associates of covered entities are also responsible for data protection. Find out when and where the exposure occurred? Was it internal, via a covered entity, or was a business associate the entry point, etc.?
Sometimes PHI can be leaked to a third party, for example sending PHI via email to the wrong person who may not be covered by HIPAA. This may place the data at greater risk as they may not have the proper measures in place to protect it.
Part 3 - How far did the breach go?
This is the part that looks into the details of the breach. One aspect of this is, what is the extent of the breach? Did the person(s) who ended up with the breached data actually see/use it?
For example, some data exposure is only realized when an ethical hacker alerts an organization that their data is at risk. Or, in the case of a lost laptop, it might be difficult to establish if the data was exposed or not.
Part 4 - Breach mitigation
The final step in assessing your risk level is to look at what measures can be used to minimize the leak? For example, can you get assurances that the leaked data has gone no further or has been destroyed?
What to Do if your Risk-Level is High?
Once you have established your risk level you will be able to make an informed decision on breach notification. If your breach assessment hits the level required to make an official notice you will need to prepare for that.
Let’s assume that the answer is yes, in which case, some considerations include:
Reporting mechanism - there is a list of stakeholders in the notification process. This includes:
The Secretary at HHS; and
Under certain circumstances, the media.
Business associates must also tell their associated covered entity. The HSS website has further details on how to make an official breach notification.
Documenting the breach - a covered entity must keep records of the breach and analysis for 6 years.
Disclosure logging - Reporting logs on disclosures must also be kept and made available upon request to affected individuals within 60 days of the request.
Other laws - Do you need to also include state data protection laws as well as HIPAA? Sometimes state data protection laws have additional (sometimes more stringent) requirements than HIPAA on breach notification.
The Benefits of Having a Risk Assessment Process
Data breaches are the scourge of the digital era and seem to be only increasing in scope and regularity. Understanding the risk level of a data breach can help you to manage the exposure.
A risk assessment of compromised PHI is also needed to establish your position, post-breach, under the HIPAA Breach Notification Rule. Having a process of risk assessment, informed using data access and information governance, means you can make sure you are in compliance and don’t waste time and money.