Breach Notification Federal & State Policies Update
No one ever thinks their personal or health information will fall into the wrong hands, but it happens all the time, even to highly reputable organizations like: Trinity Health, Aetna, AdventHealth, and Anthem Blue Cross. To prevent organizations from suffering a breach, both state and federal lawmakers have put in place some stringent requirements for keeping our electronic and paper files private. If such a breach does take place, there are even further requirements surrounding notification and actions that must be taken to rectify the issue.
What the Statistics on Data Breaches Tell Us
According to Statistica, the United States saw 1,244 data breaches in 2018 and had 446.5 million exposed records. Data breaches exposed 4.1 billion records in the first six months of 2019. If these numbers aren’t enough to jolt you and your organization into action, then you may want to reconsider your breach policies. Data breaches can be devastating, especially for organizations such healthcare groups that are required by HIPAA laws to maintain the security of their clients. Once a breach has occurred, there are certain legal requirements that must be met in notifying both the proper authorities as well as the clients who have been impacted. (Not to mention things that your organization should do to harden your security safeguards, but that’s a blog for another day.) Today’s blog will take a closer look at security breaches and the federal and state policies that surround this ever increasing phenomenon in our digitally dependent world.
What Is Considered a Security Breach?
According to the state of Massachusetts, a data breach is an unauthorized acquisition or unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by an entity that creates a substantial risk of identity theft or fraud against a Massachusetts resident.
Federal Breach Requirements for Healthcare Entities
Many of our blogs have discussed the ins and outs of the HIPAA law that require security precautions be met in three key ways: administrative, physical, and technical. If those safeguards are breached there are certain requirements that must be met to respond to the incident. Let’s take a look at the federal requirements first and then take a deep dive into the state stipulations should a breach of this type occur.The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured patient data.There are several steps required by the federal laws that state which individuals and organizations need to be informed and in what reasonable timeframe the covered entities are required to notify. Federally, these include notification to the Secretary of the U.S. Department of Health and Human Services (HHS) about the breach. According to Security Metrics, “If a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. If a breach affects 500 or more individuals, covered entities must notify the Secretary of the HHS within 60 days following a breach (if not immediately).”Additionally, covered entities must inform not just the federal (and state authorities) but also the affected patients and individuals whose sensitive and personal data was breached within a “reasonable” amount of time and in a secure manner. The legislation includes parameters on this, including a 60 day window of notification and notification to be completed through first-class mail. Security Metrics goes on to clarify that notification windows may be altered if the content of the data is out-of-date. Specifically, ‘if 10 or more individuals’ information is out-of-date or insufficient (or the breach affects more than 500 residents of a state or jurisdiction), post the statement on your website for at least 90 days and/or provide notice in major print or broadcast media in the affected area.”Beyond notification on a federal level, there are also requirements at the state level that we explain below.
What Are MA State Requirements?
Notifying the federal authorities is only the beginning of the notification process. Once that is complete, state authorities should also be made aware of the issue, including how many people are impacted and the amount of data stolen or vulnerable. The National Conference of State Legislatures reports that “all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.”Massachusetts law specifically states that the covered entity shall provide notice to the affected residents, as soon as practicable and without unreasonable delay. “What are entities?” you may ask? Simply put, they include: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, and health clearinghouses. While legislation differs considerably from state-to-state, Massachusetts requires the following steps in a data breach beginning with notification to the state Attorney General and the Director of Consumer Affairs and Regulation. The notification shall include, but is not be limited to:
the nature of the breach of security or unauthorized acquisition or use;(give a specific description of the breach)
the number of residents of MA affected by such incident at the time of notification;
the name and address of the person or agency that experienced the breach of security;
the name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;
the type of person or agency reporting the breach of security;
the person responsible for the breach of security, if known; (this is often not known for months or even years later, if ever)
the type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data;
whether the person or agency maintains a written information security program; and
any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program.
In September 2021, the Federal Trade Commission ruled that apps and devices that collect personal health information must notify consumers if their data is breached or shared with third parties without their permission. This is especially important given that many citizens rely on health apps to track fertility data, fitness level such as heart rate, and blood glucose levels. This new policy statement is meant to clarify a decade-old 2009 Health Breach Notification Rule, which requires companies handling health records to notify consumers if their data is accessed without permission, such as the result of a breach.Spectra Networks specializes in understanding the best practices to keep your patient data safe at the administrative, technical, and physical levels. If you want to know more about our security policies and how we can assist in making your system and networks as updated and secure as possible talk to our team about a consultation today.