HealthITSecurity dives into an issue that both this site and Protenus have often addressed: the gap between when entities first become aware of a breach or that something likely happened, and the date on which they send notifications to affected patients. In some cases, entities’ disclosures and notifications are more than 60 days after they first “discover” a breach, if we apply HIPAA’s definition of when a breach is “discovered.” But perhaps that definition needs to recognize real-world limitations on compliance?
While HealthITSecurity repeats that HIPAA is clear and firm on the no-later-than-60-days requirement, and while they get statements from experienced attorneys on what the rule means and requires, their article fails to address the real-world issue that attorneys Jeff Drummond, Matt Fisher and other HIPAA experts have often raised with me: if the entity, despite their best effort, cannot timely figure out which patients were impacted in a breach, then they don’t know whom to notify, do they? How can you notify people you haven’t identified yet?
Maybe by Day 58 you can figure out which employees’ email accounts were compromised by phishing or some other compromise (and maybe you can’t figure even that out by then!) but figuring out exactly which emails were in that account that exposed particular patients’ PHI might not be that simple. This site has been advocating for entities to reduce their storage of patient info in employee email accounts, which could help reduce the number and scope of reportable breaches, but in the present climate, the reality is that there is still a lot of ePHI in employee email accounts, and that is not easy to investigate to determine who needs to be notified and what types of PHI were involved for each individual.
I can see notifying HHS/OCR within 60 days of first discovery that there’s been an incident and telling them that it’s under investigation, but if the entity immediately hires a forensics firm and outside help and yet still can’t quickly figure out who’s affected, what, exactly, does HIPAA and OCR expect them to do to comply with the 60-day rule, and is it reasonable? If an entity’s system is locked up by ransomware and so is their backup, what does the rule require them to do within 60 days of discovering that their system is locked up if they can’t decrypt their files and have no other backup?
Is there any room for common sense? Can we say that if an entity knows that ePHI is in the hands of criminals who have already stated their intention to sell it or dump it, then the entity should issue a press release alerting patients — even if it is not yet able to determine every single patient who needs to get a notification and what ePHI was involved for each patient? And wouldn’t that media notice comply with the intention of the rule? Yes, not all patients read local media or may have moved away, but at least this would be something in the interim that would enable the entity to be considered in compliance while they are making their best efforts to prepare for individual notifications.
Yes, I know that perhaps we could waggle our fingers and say, “You shouldn’t have gotten into this mess to begin with,” but this is a widespread problem, and even HHS’s own infosecurity system didn’t pass muster on recent review.
Rather than waggle fingers, can we come up with a reasonable solution and response?
If the entity had taken steps to log the information necessary to prove what happened, and more importantly what did not happen, the task of identifying who to notify would be relatively simple. I am talking, of course, about audit logs, and there should be one running on any system that provides access to sensitive data.
I wonder what percent have adequate logs or solutions to log patient name or ID and types of PHI, etc. for the contents of email or attachments to email. I’d bet an awful lot don’t.