Dec. 11 — More than half of the data breaches reported under the Health Insurance Portability and Accountability Act Privacy Rule result from loss or theft, often involving laptops, highlighting how critical it is for institutions to secure their research data, a Department of Health and Human Services official said Dec. 7.
“Know who's using these portable devices within your institution and where they're taking them,” Christina M. Heide, acting deputy director for health information privacy in the HHS Office for Civil Rights (OCR), said.
“If I could drive anything home, it's encrypt, encrypt, encrypt,” she said. “Make sure these devices are encrypted.”
She explained that a lost or stolen laptop with encrypted protected health information (PHI) would fall under a safe harbor and therefore wouldn't qualify as a breach that had to be reported under the HIPAA Privacy Rule. Heide said the data must be encrypted according to the National Institute of Standards and Technology document, “Guide to Storage Encryption Technologies for End User Devices” (SP 800–111).
“One of the goals of the statute was to really get people to encrypt data to the extent it was possible and avoid breaches in the first place,” she said.
Heide served on a panel during a session on identifying and managing privacy breaches in research at the annual Advancing Ethical Research conference, organized by Public Responsibility in Medicine and Research, in Baltimore.
Breach Notification Rule
Under the HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400–414, covered entities and their business associates must provide notification after a breach of unsecured PHI.
Susan Stayn, senior university counsel representing Stanford University and its affiliated medical center, said depending on the circumstances, a data breach also may qualify as an unanticipated problem that must be reported under the Common Rule for protection of human research subjects (45 C.F.R. pt. 46). Unanticipated problems under the Common Rule are:
• related or possibly related to research; and
• suggest that the research places subjects or others at a greater risk of harm than was previously known or recognized.
Stayn said data breaches involving research information always are considered unexpected and related to research—even if something outside the research caused the actual breach—so it is really the third criterion that determines whether the data breach also is an unanticipated problem (UP). Making this determination is important, she said, because the Privacy Rule and the Common Rule have different reporting requirements.
Under the Common Rule, serious unanticipated problems should be reported to the institutional review board (IRB) within one week of the investigator becoming aware of the event. Any other unanticipated problem should be reported to the IRB within two weeks, and all unanticipated problems should be reported to appropriate institutional officials, the supporting agency head and the HHS Office for Human Research Protections within one month of the IRB's receipt of the report of the problem.
Report Breaches Quickly
“When you put this time frame up against the reporting time frame under HIPAA, it's really important to report more quickly than this time frame allows in the event of a data breach,” Stayn said. “This is set up for all types of UPs, and in the event of a data breach, the quicker the right people know about it, the quicker you can start investigating.”
The Breach Notification Rule starts the clock when discovery of the breach occurred and requires the OCR to be notified “without unreasonable delay” but no later than 60 days from the discovery of large breaches involving 500 or more individuals.
“This is when the entity knew or should have known about the incident, and we go really by when was the incident known to the entity, not after all the steps that may be followed to determine that this was actually a reportable breach,” Stayn said. “So the clock starts ticking pretty much right away.”
“It's very important for entities and institutions to drive home these policies for very prompt reporting of even potential security incidents,” she said.
Heide said incidents involving less than 500 individuals can be reported to the HHS in a single annual document that is due within 60 days of the end of the calendar year in which those incidents were discovered.
Notification Versus Risk Assessment
Heide explained that a breach is an impermissible use or disclosure of unsecured PHI, and the OCR presumes these breaches require the covered entity to notify the HHS unless the entity or business has conducted a risk assessment that demonstrates there is low probability that the PHI has been compromised. She said institutions always have the option of notifying the HHS, and some institutions choose to just send in all their breach notifications, rather than conduct a risk assessment.
“But if you do want to determine there's been a low enough compromise of the data to avoid notification, you do need to go through this risk assessment and document the outcome,” she said.
The Breach Notification Rule also allows an exception for cases of inadvertent, harmless mistakes, such as when an employee who was acting in good faith mistakenly saw something he or she shouldn't have, Heide said, as long as the employee didn't sell it to the media, take the data off-site or otherwise do anything bad with that information.
“This is not your snooping employee exception,” she said. “There's no exception for snooping employees who are in people's files when they shouldn't be. That's an incident that would need to be assessed as any other.”
Limited Data Set Is PHI
Under the HIPAA Privacy Rule (45 C.F.R. § 164.514(e)(2), the HHS considers a limited data set, in which data are stripped of 16 direct identifiers, to be PHI, so entities still need to conduct a risk assessment if there's a possible security breach, Heide said.
She said that an entity could go through the risk assessment process and very well determine that there is no need to submit a breach notification on the limited data set, but the risk assessment still has to happen.
Between September 2009 and November 2014, Heide said, there have been 1,169 reports involving large breaches of PHI affecting 500 or more individuals. Statistics on reported breaches show:
• theft and loss accounted for 60 percent of large breaches;
• laptops and other portable storage devices accounted for 33 percent of large breaches;
• paper records accounted for 21 percent of large breaches;
• large breaches affected more than 41 million individuals; and
• there have been more than 127,000 reports of breaches involving less than 500 individuals.
One of those incidents involved a laptop with unsecured data falling off the back of a pickup truck, which she said is “probably not the best way for the employee to secure their laptop and their data.”
“So it's very good to have strong policies and procedures,” Heide advised, “and to train on those so that individuals know when they can take data off-site and how they need to secure it.”
To contact the reporter on this story: Jeannie Baumann in Washington at email@example.com
To contact the editor responsible for this story: Randy Kubetin at firstname.lastname@example.org