Posted by: Professionals In Human Resources Association (PIHRA) | October 27, 2010

So You Have Experienced a HIPAA Security Breach – Now What?

By Gail Sargent, J.D., LL.M. – Taxation

Imagine one of the last scenes of the movie Deep Impact where masses of individuals are running in terror from the impending asteroid strike.  Sheer panic and horror govern the moment.  As a HIPAA attorney, I have found that similar emotions are brought about by the mere mention of HIPAA, much less by an actual HIPAA security breach.  However, with a clear understanding of your obligations under HIPAA and a well-designed HIPAA security incident response plan in place, you can respond in a calm and orderly manner and avoid costly investigations and penalties.

Remember that health plans, health care clearinghouses and most health care providers are directly subject to the administrative “simplification” provisions of HIPAA (the Health Insurance Portability and Accountability Act of 1996).  HIPAA is the federal law that governs the privacy and security of medical information.  For an employer who maintains a group health plan that is fully-insured and receives no protected health information (“PHI”) from the insurance carrier (other than enrollment information and general summaries of claims with no identifying information), the carrier is responsible for most of HIPAA’s requirements, including responding to security breaches.  However, if an employer maintains a self-funded group health plan or decides to receive PHI from the carrier of a fully-insured plan, the employer is responsible for complying with HIPAA’s privacy, security and new breach notification rules.  Please note that medical reimbursement accounts under cafeteria plans and health reimbursement arrangements are always considered self-funded plans.  HR and benefits professionals are typically the individuals who end up with primary responsibility for ensuring that an employer’s group health plans comply with HIPAA’s requirements.

HIPAA’s breach notification requirements are relatively new, having gone into effect on September 23, 2009.  The basic requirement of this new law provides that upon the occurrence of a security breach of unsecured PHI, notice must be provided to the affected individuals without unreasonable delay (and in no case later than 60 days from the discovery of the breach).  Notice must also be provided to Health and Human Services (“HHS”) and sometimes the media depending on the size of the breach and location of the affected individuals.  The scope of these new rules is extremely broad and includes breaches in electronic, written and oral format.

Having a HIPAA security incident response plan in place is key to responding to a possible HIPAA security breach in a calm and methodical manner, minimizing the chance of an investigation and corresponding penalties.  A HIPAA security incident response plan is similar to a toolkit with all the items needed to comply with this new law without having to “wing it” in a time of chaos and panic.  A HIPAA security incident response plan will typically consist of (i) a general checklist of items to address, (ii) an initial and follow-up report to document what occurred and what steps were taken to respond to the breach and mitigate any harm caused to affected individuals, (iii) model notices that can be customized to the current incident, (iv) a call tree of individuals within an organization who should be involved in the response depending on the type of breach involved and (v) a sample script that can be used to prepare for questions from affected individuals concerned about the breach.

So when the dreaded moment finally arrives when you learn of a possible HIPAA security breach, the steps below will assist you in navigating the breach like a true professional.
•    Begin an investigation of the incident without delay!  Remember to preserve any evidence (such as immediately sealing a computer off from use to send to a computer forensics professional for evaluation) and possibly file a police report, depending on the circumstances.
•    Document the details of the security incident.  Make sure you note the date of the discovery of the breach (this is the date that will start the clock ticking for reporting obligations).  Also, determine the identity of each affected individual and the state of residence of each such individual.  You will need to know this information for sending out HIPAA-required notices in addition to determining your notice obligations under the various state breach notification laws.  You must comply with applicable state breach notification requirements to the extent the state law requirements are not inconsistent with HIPAA’s requirements.  This process of providing notices that comply with both HIPAA and state breach notification laws can become extremely complicated when residents of multiple states have been affected by a breach.  You will need to know the total number of affected individuals to determine whether the breach is large enough to require media notice in addition to large breach notice to HHS.

•    Determine What Information Was Breached.  This information is critical in determining whether the HIPAA breach notification requirements apply to the breach.  Remember that you must have a breach of unsecured PHI for HIPAA to apply.  If no PHI is involved or if the PHI is secured (encrypted or destroyed according to HHS standards), there is no reportable breach for purposes of HIPAA.  The type of breached data is also critical for determining whether various state breach notification laws will apply.
•    Take Immediate Steps to Mitigate Any Harm Caused by the Breach.  Determine what is reasonable and appropriate to respond to the breach. Depending on severity of the breach, it may be a good idea to offer credit monitoring to affected individuals.   If the breach is the result of a workforce member’s actions, follow your HIPAA sanctions procedures and clearly document each step of the process.  This may be a good time to reevaluate HIPAA privacy and/or security polices and procedures to determine if changes should be made to prevent the breach from recurring.
•    Provide Required Notices.  If you have determined a HIPAA security breach has occurred, all affected individuals should receive notice of the breach, containing the information required by HHS.  If state breach notification requirements must also be met, ensure that both HIPAA and state law content requirements are incorporated into the same notice.  Remember to concurrently notify HHS if the breach involves 500 or more individuals.  If fewer than 500 individuals are affected by the breach, HHS must be notified no later than 60 days after the end of the calendar year in which the breach occurred.  Notice to the media must be provided if more than 500 individuals are affected within a particular state or jurisdiction.  Some states require notice to the state attorney general or certain regulators so again, it is always critical to examine state law requirements in addition to HIPAA’s requirements.
•    Document Everything!  If a HIPAA security breach affects 500 or more individuals, HHS will most likely instigate an investigation.  HHS will evaluate smaller breaches and determine whether an investigation is warranted.  State attorneys general now have rights to sue under HIPAA and some state attorneys general have become very aggressive in investigating security breaches to protect the state’s residents.  Having a well-organized file documenting every step taken during the investigation and the response will go a long way in minimizing potential penalties under HIPAA by showing that you have taken your obligations seriously.

About the author:  Gail Sargent is an attorney whose practice focuses on HIPAA, ERISA and employer-sponsored benefit plans.  Ms. Sargent is also the owner of The HIPAA Guru, LLC, a company that offers HIPAA training seminars and on-site HIPAA training for health plans, using a fun, interactive and engaging learning style.  Ms. Sargent can be reached at 832-443-8010 or


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: