March 2012 • Vol. 28 No. 3 www.acainternational.org published For Health care providers by
ACA international’s Health care section
Security Breach Implications
By Katie Hebeisen, Communications Specialist
T
he Health Insurance Portability and
Accountability Act (HIPAA), as amended by the Health Information
Technology for Economic and Clinical
Health Act (HITECH), set forth requirements for covered entities and business associates to provide notice to affected individuals, media and the
Department of Health and Human Services
(HHS) following a breach of unsecured protected health information (PHI). Most states have also enacted laws requiring similar forms of notification following a security breach.
While breach notifications strengthen privacy and data security initiatives, reporting a security breach can have drastic effects on a business, including monetary loss and harm to a company’s reputation.
At ACA’s 2011 Fall Forum session,
HIPAA/HITECH Updates, Leslie Bender, president of Bender & Radcliffe, P.A. in
Timonium, Md., discussed security breach implications and why businesses need to fully understand their legal duties following a data security or privacy incident.
“Not every security incident will trigger a breach notification,” Bender said. “And there are good business reasons why you do not want to provide a notice in response to all security incidents.”
Security Incident vs. Security Breach
HIPAA and HITECH draw a distinction between a security incident and a security breach. While all security breaches are security incidents, not all security incidents turn out to be security breaches.
The law defines a security incident as
“the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.” Common types of security incidents include impermissible uses and disclosures of PHI and lack of safeguards of PHI.
A breach is defined under HITECH as “the acquisition, access, use or disclosure of protected health information in a manner not permitted [under HIPAA’s
Privacy Rule], which compromises the security or privacy of the protected health information.” Importantly, a breach must
“compromise the security or privacy of the protected health care information,” which means it poses a significant risk of financial, reputational or other harm to an individual. “There have been reported instances where, for reasons unrelated to HIPAA, organizations are insinuating that any violation of HIPAA’s Privacy Rule, even if inadvertent, equals a breach and should be reported to HHS,” Bender said. “That’s simply not true.”
Some workers in health systems are not aware of what a breach actually means.
A business must communicate with its employees what constitutes a security breach and what does not.
Bender provided three examples of situations that would not be considered a security breach:
1. An employee in your office has
permission to go into your database accidentally looks up the wrong information. “If someone calls a representative and says ‘My name is Leslie Bender,’ it’s possible you would have more than one Leslie Bender in your database,” Bender said. “So when the representative is scrolling through to find the right Leslie Bender, it’s possible that person could look at something they shouldn’t have looked at.” 2. An employee accidentally discloses information to someone from another company who may have a business purpose to access the information in some cases, but this time it was done in error.
“In this instance, you’re trying to send information to an insurance company, but it accidentally gets sent to the wrong business,” Bender said. “But the person who gets it is probably not going to use or disclose it in a manner not permitted by HIPAA’s Privacy
Rule since they are already bound to comply with it.”
3. An employee accidentally discloses information to someone outside the organization who does not