Security Breach Notification

What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals).

Subscribers to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) listserv received an announcement a couple of weeks ago that OCR would begin to “More Widely Investigate Breaches Affecting Fewer than 500 Individuals”. The announcement states that the OCR Regional Offices investigate all reported breaches involving PHI of 500 or more individuals and, “as resources permit”, investigate breaches involving fewer than 500.  Then the announcement warns that Regional Offices will increase efforts “to identify and obtain corrective action to address entity and systemic noncompliance” related to these “under-500” breaches.

Regional Offices will still focus these investigations on the size of the breach (so perhaps an isolated breach affecting only one or two individuals will not raise red flags), but now they will also focus on small breaches that involve the following factors:

*          Theft or improper disposal of unencrypted PHI;

*          Breaches that involve unwanted intrusions to IT systems (for example, by hacking);

*          The amount, nature and sensitivity of the PHI involved; and

*          Instances where numerous breach reports from a particular covered entity or business associate raise similar concerns

If any of these factors are involved in the breach, the reporting entity should not assume that, because the PHI of fewer than 500 individuals was compromised in a single incident, OCR is not going to pay attention. Instead, whenever any of these factors relate to the breach being reported, the covered entity (or business associate involved with the breach) should double or triple its efforts to understand how the breach occurred and to prevent its recurrence.  In other words, don’t wait for the OCR to contact you – promptly take action to address the incident and to try to prevent it from happening again.

So if an employee’s smart phone is stolen and it includes the PHI of a handful of individuals, that’s one thing. But if you don’t have or quickly adopt a mobile device policy following the incident and, worse yet, another employee’s smart phone or laptop is lost or stolen (and contains unencrypted PHI, even if it only contains that of a small handful of individuals), you may be more likely to be prioritized for investigation and face potential monetary penalties, in addition to costly reporting and compliance requirements.

This list of factors really should come as no surprise to covered entities and business associates, given the links included in the announcement to recent, well-publicized OCR settlements of cases involving smaller breaches.  But OCR’s comment near the very end of the announcement, seemingly made almost in passing, is enough to send chills down the spines of HIPAA compliance officers, if not induce full-blown headaches:

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”

In other words, if the hospital across town is regularly reporting hacking incidents involving fewer than 500 individuals, but your hospital only reported one or two such incidents in the past reporting period, your “small breach” may be the next Regional Office target for investigation. It will be the covered entity’s (or business associate’s) problem to figure out what their competitors and colleagues are reporting to OCR by way of the “fewer than 500” notice link.

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy.

The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under the insurer’s contract with the state Department of Health to monitor prescription drug use in state-run medical programs. In that capacity, he was given access to the Minnesota Prescription Monitoring Program (MNPMP), which is generally limited to licensed prescribers and pharmacists, and their delegated staff. The MNPMP was established to detect diversion, abuse and misuse of prescriptions for controlled substances.

For a period of eight months after Johnson had been reassigned to other duties, he apparently had not been removed from the list of authorized users despite BC/BS having notified the state of the change. WCCO reports that during that time Johnson had accessed 56 individuals’ records, and had viewed a number of records multiple times. Investigations also revealed that Johnson had accessed some of these same individuals’ social media profiles. There reportedly is no indication at this time that Johnson disclosed any of the information he obtained or that he misused that information to obtain narcotics.

State Nursing Board disciplinary records indicate that Johnson had been fired by two previous employers because of narcotic violations. He reportedly admitted to stealing drugs from Children’s Hospital in St. Paul in 2000 and was fired by Unity Hospital after admitting to stealing morphine. He had not been charged criminally but had been fined and subjected to additional supervision. BC/BS was apparently unaware of Johnson’s disciplinary history when he was hired.

There is plenty of blame in this situation to go around. Although the MNPMP apparently had a process in place for credentialing legitimate users, it failed to revoke those credentials when they were notified that Johnson’s job no longer required him to access the database. BC/BS may have failed to monitor its employees’ access to such a highly-confidential trove of information, and may have exercised poor judgment in not thoroughly vetting an employee before assigning him to such a sensitive role.

Employee “snooping” has led to serious consequences in a number of high profile cases, including a Vermont ultrasound technologist who peeked at her ex-husband’s family’s records, a UCLA researcher who was sentenced to prison for looking at celebrity charts, California and New York hospital workers who accessed celebrity records and 16 Houston hospital employees fired for accessing a resident’s medical records after she was injured in a shooting incident.

A surprising footnote to WCCO’s story is the fact that the state Department of Health reportedly misstated HIPAA’s breach reporting requirements and claimed that only breaches involving 500 or more individuals were reportable. Such large-scale breaches require notice within 60 days of discovery, but, as indicated in the WCCO report, breaches involving fewer than 500 individuals must still be reported within 60 days of the close of the calendar year.

This is not BC/BS’s first brush with medical privacy violations. According to the Star Tribune, in 2010, a subscriber sued the insurer for violating the Minnesota Health Records Act and breaching her privacy by disclosing her name and providing confidential information about her medical treatment. Amazingly, the patient’s information was reproduced in illustrations that appeared in handbooks and marketing pamphlets instead of “dummy” information. Her ID and claims information appeared in 400 copies of a pamphlet and in 95,000 copies of a member handbook. Previously, the State Department of Commerce suspended the license of a BC/BS agent after a life insurance customer complained that the agent had improperly disclosed the customer’s personal information.

Once again the temptation to rummage around in an inadequately-secured repository of information has proven too hard for an employee to resist. Few covered entities and business associates have implemented safeguards to protect data from curious (or dishonest) employees’ eyes. Heightened employee training about prohibition of snooping with emphasis on discipline up to and including discharge is one step. However, the time may have come when relying on the honor system and training may be insufficient to meet HIPAA’s poorly-defined “minimum necessary” standard and more robust technical solutions may be called for. Even when, as in this case, only certain individuals are given access to PHI on a need-to-know basis, there is room for improvement of monitoring and oversight of those individuals’ actual behavior.

Copyright: / 123RF Stock Photo
Copyright: / 123RF Stock Photo

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.

Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.

The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this ever-lengthening parade on the HHS List of PHI breaches affecting 500 or more individuals (the List Breaches). Previous blog posts in this series including those discussed here and here discussed the volume of List Breaches that occurred in earlier periods.

It took nearly 3½ years between the inception of the HHS List on March 4, 2010 and August 13, 2013, to reach 646 postings, for an annualized average of approximately 189 postings per twelve-month period. In less than twelve months from August 13, 2013 to July 29, 2014, 239 more marchers have joined the parade on the HHS List.

A total of 430 or almost one-half (48.6%) of the total of 885 List Breaches reported the breach type to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 73 additional List Breaches that have reported the breach type as a “loss” of various types (excluding as a loss item any List Breach that also reported theft as a breach type) is added to the 430 theft events, the total for the two categories swells to approximately 503 or 56.8% of the 885 posted List Breaches. Combining the two categories appears to make some sense, as it is likely that a number of the List Breaches categorized as a “loss” event may have involved some criminal aspects.

Even more significant may be the fact that approximately 272 (30.7%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices (collectively, Portable Devices). Theft or loss of Portable Devices thus constituted 54.1% of the approximately 503 List Breaches that reported theft or loss as the breach type.

As has been emphasized in the past, it may have become more a question of when a covered entity (CE), business associate (BA) or subcontractor (SC) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in Portable Devices that can create, receive, maintain and transmit PHI requires CEs, BAs and SCs to perform adequate risk assessments and establish effective policies and procedures respecting employer-supplied and personally-owned Portable Devices.

Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with Skagit County, Washington requires the county to pay $215,000 and institute a detailed Corrective Action Plan.

HHS’s action results from an incident in 2011 where the ePHI of 1,581 individuals was disclosed over a two-week period on a public web server maintained by the county. According to the HSS Press Release, the original breach report stated that the ePHI of only seven individuals was at issue, but HHS’s investigation revealed a far broader disclosure and also found that many of the accessible files contained sensitive information pertaining to testing and treatment of infectious diseases. HHS also found that the county failed to provide appropriate notifications after the breach. The investigation further revealed a period of noncompliance with the HIPAA Rules going back to 2005, including failures to implement and maintain Policies and Procedures and to train workforce members appropriately. The Resolution Agreement demonstrates HHS’s commitment to enforcement when it discovers a party has committed the twin sins of long-term noncompliance and inappropriate action after a breach. (Curiously, HHS has yet to include this breach on its list of breaches of unsecured protected health information affecting 500 or more individuals).

The Resolution Agreement with Skagit County serves as a useful reminder that HHS will take action against parties of any size, whether public or private, and is especially inclined to do so when a party shows a history of noncompliance and reacts inappropriately to a breach. Two simple things can help Covered Entities (of any size) avoid these situations: an up-to-date set of HIPAA Policies and Procedures and a well-trained workforce. Covered Entities should confirm that their Policies and Procedures are current (the Omnibus Rule changed the HIPAA landscape last year and requires updates to existing Policies and Procedures) and that members of their workforce with access to PHI have received specific training related to the Policies and Procedures.


It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA.  This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a “Large Breach”), CEs must notify the affected individuals, the Secretary of the U.S. Department of Health and Human Services (“HHS”) and perhaps media outlets without unreasonable delay and in no case later than 60 days following a Large Breach. In turn, HHS posts each of such Large Breaches on its Web site list (the “HHS List”).

On September 11, 2013, the HHS List posted a Large Breach relating to Minne-Tohe Health Center/Elbowoods Memorial Health Center (collectively, the “Center”) that occurred on October 1, 2011 (the “2011 Breach”), almost two full years before the posting on the HHS List. The HHS List reveals that 10,000 individuals were reportedly affected by the 2011 Breach, which was reflected as attributable to “Improper Disposal, Unauthorized, Access/Disclosure” of a “Desktop Computer, Other.” There are several interesting aspects about the 2011 Breach.

First, the lapse of almost two years before the disclosure of the 2011 Breach represents one of the longest for a Large Breach on the HHS List that was attributable to an event which occurred on a single day.  There are numerous Large Breaches on the HHS List that were reported by CEs as having extended for years, such as the most recent item posted to the HHS List on September 26, 2013 for South Shore Physicians, PC,  which reflected a “Date of Breach” as running from 1/01/2006- 01/12/2012.

Second, while the circumstances surrounding the 2011 Breach are very unclear, one can speculate, based on limited facts available on the Internet, that there may be a credible explanation for the delay.  That being said, it is very difficult to locate descriptive information on the Internet regarding the 2011 Breach or the Minne-Tohe Health Center itself (“MTHC”).  There is no current Web site for MTHC.  While the Elbowoods Memorial Health Center (“Elbowoods”) has a Web site, recent and current information is limited, and there would appear to be no reference to the 2011 Breach.

What one can deduce from an October 27, 2011 press release (the “Press Release”) from North Dakota Governor Jack Dalrymple is that, at the time of the 2011 Breach, MTHC was the main medical facility for the Three Affiliated Tribes (consisting of the Mandan, Hidatsa and Arikara Nation) on the Fort Berthold Reservation, located west of New Town, ND.  According to the Press Release, MTHC served as the Reservation’s main clinic for more than 40 years.

The purpose of the Press Release, however, was primarily to celebrate the grand opening of Elbowoods in New Town, a $20 million clinic to provide expanded health care services to the Reservation.  The Press Release says, “The 43,000-square-foot facility, which opened October 17, [2011] replaces the existing Minne-Tohe Health Center located west of New Town.”

The foregoing information, limited as it may be, appears to provide a possible  explanation for the long delay in disclosure of the 2011 Breach.  At the reported time of the 2011 Breach, MTHC was in the process of winding down its 40 years of operations, and its personnel were transferring and transitioning the operations, including presumably the health records of MTHC, to Elbowoods.  The likely tumult of activity in early October 2011 at MTHC may have brought about a loss of contact with the PHI that was the subject of the 2011 Breach.

Other aspects relating to the 2011 Breach are unexplained by the lack of public information, such as whether affected individuals were duly notified, even two years later, as required by HIPAA.  Nonetheless, the 2011 Breach stands for the proposition that a CE that becomes a marcher in the Parade of Large Breaches may be well served by publishing sufficient information, including the reasons, if any, for a potential violation of HIPAA in addition to the Large Breach itself, e.g., undue delay in breach notification, as opposed to leaving meaningful questions unanswered.

Where did the time go?  Today’s the day – September 23, 2013.  This is compliance day for most of the Omnibus Rule changes.  I had a feeling this deadline would catch up with me faster than I would be able to blog my 10 tips, so I’m going to count “TIP TWO” as tips TWO through SEVEN so as to make my own deadline.  I will post TIP TEN before midnight tonight…

Here are TIPS FOUR and FIVE (aka EIGHT and NINE) —


Business Associates:  before you sign that Business Associate Agreement (BAA), make sure you ARE one! 

As noted in TIP THREE, entities that create, receive, maintain, or transmit protected health information (PHI) on behalf of another entity are likely to be Business Associates.  However, it’s worth taking the time to analyze whether you really are a Business Associate subject to HIPAA before contractually obligating yourself to act like one.  By entering into a BAA, not only are you agreeing to take on BA duties and responsibilities, but you may be admitting that you are, in fact, a BA and make it more difficult to establish to the putative Covered Entity or to a court or regulatory authority that you’re not. 

To determine if you are a Business Associate, first ask yourself if you are creating, receiving, maintaining, or transmitting PHI on behalf of the Covered Entity.  If you are doing any of these things on your own behalf and you are a health care provider, health plan, or clearinghouse, you may be a Covered Entity with respect to the PHI at issue.  Alternatively, HIPAA may not even apply (for example, if you’re a provider who doesn’t transmit PHI in electronic form in connectin with a HIPAA-covered transaction). 

It’s important that you know your role prior to signing the BAA so that you aren’t bound by contract to take on the BAA role, but also so that you fully understand the implications of a breach.  If a breach occurs while the PHI is under your watch (directly, as a result of actions or inactions of workforce members, agents, etc., or indirectly, as a result of actions or inactions of subcontractors, for example) and you are actually the Covered Entity, notifications to HHS and to affected individuals will be your responsibility, as will the determination of whether a reportable breach occurred.  A BAA, under which you are purportedly the BA, will not protect you from these obligations, but will certainly muddy the waters and complicate your obligations with respect to the putative Covered Entity.


Check to see if your contractors are actually acting as your agents.

The Omnibus Rule makes it clear that if your “Business Associate” (or “Subcontractor”) is actually an agent, the time frames for notification set forth in your BAA (or Subcontractor Agreement) are off.  The day on which the contracted party knew or should have known, by the exercise of reasonable diligence, of a breach will be imputed to you, and your failure to notify HHS, the media, and/or affected individuals within the HIPAA-required timeframes could result in significant penalties. 

The preamble to the Omnibus Rule explains that HHS will look to the federal common law of agency in determining whether an agency relationship exists, and language in a BAA stating that the BA is an “independent contractor” is irrelevant:  “Rather, the manner and method in which a covered entity actually controls the service provided decides the analysis.”  HHS uses this example of BAA language that shows that the BA is actually an agent of the Covered Entity:  the Business Associate “must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of” the Covered Entity.   The clear message: if you exercise authority and control over the contractor during the course of its provision of contracted services, the contractor may be your agent and you won’t be able to point to a BAA’s notice requirements to say you didn’t know and couldn’t reasonably have known of an unreported breach.

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”).  As reported in a previous blog post in this series, as of August 14, 2013 (and today), there were postings of 646 List Breaches.

Several prior posts in this series here and here addressed the extent to which such List Breaches are being reported by covered entities (“CEs”) as having been attributable to events involving business associates (“BAs”).

As of August 20, 2013, 146 of the total of 646 List Breaches (22.6%) reportedly involved BAs of the reporting CEs.  This is remarkably consistent with the percentage of 22.3% (83 of the total of 372 List Breaches) as of December 2, 2011, reportedly involving BAs of the reporting CEs.

Further analysis of the HHS List as of August 20, 2013, reveals the following:

• 3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

• 16 of the 43 List Breaches (37.2%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

• 21 of the 80 List Breaches (26.3%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

• 106 of the 517 List Breaches (20.5%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, it would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (79.5%) on the HHS List, which affected fewer than 10,000 individuals, have reported no involvement of a BA.

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer. However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.  It is therefore incumbent upon any CE at a minimum to

(i) choose its BAs with care,

(ii) enter into effective business associate agreements with terms appropriate for the specific risks that may be present, and

(iii) continue to monitor the total performance of BAs, including both delivery of services and HIPAA compliance.

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and  here the volume of List Breaches that occurred in earlier periods. As of August 13, 2013, there were postings of 646 List Breaches.

In the almost 3½ years since the inception of the HHS List on March 4, 2010, there have been 646 postings for an annualized average of approximately 189 postings per twelve-month period. Approximately 334 (51.7%) of the postings reported the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 66 additional List Breaches reporting the type of breach as a “loss” of various types is added to the 334 “theft” events, the total for the two categories swells to approximately 400 or 61.9% of the 646 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more significant may be the fact that approximately 230 (35.6%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices. Theft or loss of laptops or other portable electronic devices thus constituted 57.5% of the approximately 400 List Breaches that involved reported theft or loss.

It is likely that it will be a number of months after the effective date of the Omnibus Rule on September 23, 2013, that List Breaches can begin to be evaluated under post-Omnibus Rule standards, such as the presumption that a PHI security event is a breach unless established otherwise. It will be interesting to see if any of the numbers reported above materially change in the post-Omnibus Rule environment.

As has been emphasized in the past, it may have become more a question of when a covered entity (“CE”) or business associate (“BA”) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in portable electronic devices to receive, access and store PHI should be monitored carefully by CEs and BAs, as it can be expected that this type of security breach will continue to expand. Effective policies and procedures must be established by CEs and BAs to govern use of such electronic devices, both with respect to entity-supplied devices and personal devices. Many individuals have multiple portable electronic devices of both types that may become repositories of unprotected PHI, whether voluntarily or involuntarily.

If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!”  Those involved with the new health insurance exchanges (or “Marketplaces”?  The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are to be reported within one hour of their discovery, according to regulations proposed by the Department of Health and Human Services (HHS) on June 19, 2013 (“Exchange Regulations”).  That’s right – within one hour, or a measly 60 minutes, of discovery of a breach involving personally identifiable information (PII), the entity where the breach occurs must report it to HHS.  Even a mere security “incident” would have to be reported within one hour.  The broad term “incident” would include:

[t]he act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent. 

Whereas HIPAA breaches (those involving protected health information, or PHI) affecting more than 500 individuals must be reported to HHS “without unreasonable delay and in no case later than 60 days after discovery” and (as discussed here in an earlier blog post) there is no express requirement for reporting of security incidents to HHS , HHS’s new proposal requires a 60-minute turn-around for PII breaches and incidents alike.  HHS says that it “considered but declined to use the definitions” for “incident” and “breach” provided under the HIPAA regulations because “the PHI that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections… .” 

The 60-minute turnaround time may sound familiar to Medicare Shared Savings Programs (MSSPs, also known as Medicare Accountable Care Organizations or ACOs).  Approved MSSPs must sign a Data Use Agreement with the Centers for Medicare & Medicaid Services (CMS) before it can obtain data from CMS that contains Medicare beneficiaries’ PHI.  The 60-minute turnaround under the Data Use Agreement is even a bit more onerous than that proposed in Exchange Regulations in that breaches of PII must be reported within 60 minutes of the breach, loss, or unauthorized disclosure itself, rather than within 60 minutes of discovery of the breach, loss, or unauthorized disclosure.  Then again, the Data Use Agreement doesn’t require reporting of “incidents” like attempted access or power interruptions, and CMS is thoughtful enough to provide a phone number and email address to be used in making the reports.