Healthcare Data Breaches: What Are Your Legal Obligations for Notifying Affected Parties?

As your business or practice becomes more data-driven and electronically interconnected, are you ready to respond to intrusions into your data and systems?  Here are some things you’ll need to know if you experience a data breach.

A hacker has just infiltrated your business’s IT system and accessed the records of hundreds – or maybe even thousands – of your patients or clients. These records include identifying information as well as sensitive information about the patients’ or clients’ health histories and conditions.

Whom do you notify about the breach? By what means do you provide the notice? And how soon do you provide the notice?

Data Breaches: Increasingly Common and Costly

This is a hypothetical scenario that is becoming an all too common reality throughout the U.S. healthcare sector. According to Protenus, a healthcare data analytics firm, and DataBreaches.net in their “2019 Mid-Year Breach Barometer,” during the six-month period from January through June of 2019, there were more than 31 million patient records exposed to third parties through incidents of hacking (including via ransomware, malware, or phishing), theft, and employee or other “insider” access, among other causes. That’s more than double the number of records exposed from a data breach in the healthcare industry during the entire year in 2018 (approximately 14 million).   

While the most publicized breaches involve insurance companies, healthcare technology companies, and large hospital systems, hackers target specialty practices as well. And while the direct consequences of the breach can be onerous enough, the ensuing investigation can unearth a range of other issues.

For example, an electronic data breach at Athens Orthopedic Clinic led the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to uncover numerous areas of non-compliance. Though the breach itself was the work of a malicious hacker, OCR also discovered the clinic’s failures to fulfill HIPAA requirements, including HIPAA policies and procedures, risk assessments, employee training, and business associate agreements. As a result, the clinic paid a $1.5 million-dollar settlement for their non-compliance.

Legally, the obligations for how to respond to a breach involving healthcare-related data arise from laws that include:

• The federal Health Insurance Portability and Accountability Act (HIPAA) and its Breach Notification Rule
•  The Federal Trade Commission’s (FTC) Health Breach Notification Rule
•  Applicable state law, such as the Personal Information Protection Act (PIPA) in Illinois.

In this post, we summarize the key breach reporting requirements under each of these laws.

HIPAA Breach Notification Rule

To whom does the law apply?

As with its other provisions, HIPAA’s Breach Notification Rule applies to “covered entities,” which include healthcare providers (e.g., physicians, hospitals) and health plans (e.g., insurers, managed care organizations), as well as their “business associates.” A “business associate” is an individual or entity that performs certain services to or on behalf of a covered entity that entail access by the business associate to “protected health information” (PHI).  PHI is “individually identifiable health information” that is transmitted or maintained in electronic form or any other medium.

What constitutes a “breach”?

HIPAA defines a “breach” as the acquisition, access, use, or disclosure of PHI in a manner that HIPAA’s privacy protections do not permit and which compromises the security or privacy of the PHI. This definition is subject to certain exceptions, including where the acquisition, access, or use of PHI was unintentional and “made in good faith” by a workforce member or person acting under the authority of the covered entity or a business associate and no further impermissible use or disclosure occurs.

HIPAA presumes that an impermissible acquisition, access, use, or disclosure of PHI is a breach unless the covered entity or business associate concludes that there is a low probability that the PHI has been compromised, based on a risk assessment that considers the following factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

Who must be notified of the breach, and what information must the notice include?

HIPAA’s breach notification requirements apply only if the breached PHI was “unsecured,” meaning that it was not protected in accordance with federal standards for encryption or destruction of the information.

A covered entity must, following the discovery of a breach, notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of the breach. The notification must include:

• What happened, including the date of the breach and the date of its discovery, if known;
• The types of information (e.g., name, Social Security number) that were breached;
• Steps individuals should take to protect themselves from potential resulting harm;
• What the entity that suffered the breach is doing to investigate the breach, mitigate harm, and avoid further breaches; and
• Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, email address, website, or postal address.

For breaches involving more than 500 residents of a state or jurisdiction, a covered entity must, following discovery of the breach, notify prominent media outlets serving the state or jurisdiction. For breaches involving 500 or more individuals (whether or not they are the residents of the same state or jurisdiction), a covered entity must notify the Secretary of the U.S. Department of Health and Human Services (HHS).

Where a business associate discovers a breach, the business associate must notify the covered entity. The covered entity, in turn, must notify affected individuals, HHS, and/or the media.

By what means must the breach notice be provided?

A covered entity may provide notification of a breach to affected individuals through one of the following methods:

• By written notice via first-class mail to the individual’s last known address;
• By email, if the individual agrees to electronic notice and has not withdrawn such agreement; or
• By substitute notice, if there is insufficient or out-of-date contact information that precludes notice using one of the other methods noted above.
  • Where there is insufficient or out-of-date contact information for fewer than 10 affected individuals, the covered entity may provide the substitute notice by way of an alternative form of written notice, telephone, or other means.
  • Where there is insufficient or out-of-date contact information for 10 or more affected individuals, the covered entity must take the form of either a conspicuous posting for a period of 90 days on the covered entity’s homepage of its website or a conspicuous notice in major print or broadcast media outlets.  Either form of substitute notice must include a toll-free phone number, which remains active for at least 90 days, where an individual can learn whether his or her PHI may be included in the breach.

What is the timeline for reporting the breach?

A covered entity must notify affected individuals and, where applicable, HHS and the media of a breach “without unreasonable delay” and in no case later than 60 calendar days after its discovery. A business associate must follow the same timeframe for notifying a covered entity of a breach. However, a covered entity or business associate may delay notification if a law enforcement official so requests in order to avoid impeding a criminal investigation or “caus[ing] damage to national security.”

For breaches involving fewer than 500 individuals, a covered entity need not notify HHS at the time of the breach but must document each such breach in a log and report all such breaches from the preceding year to HHS within 60 calendar days after the end of the year.

A breach is considered “discovered” under HIPAA as of the first day on which any person (other than the person committing the breach) who is an employee, other workforce member, or agent of the covered entity knew, or by exercising “reasonable diligence” would have known, of the breach.

FTC Health Breach Notification Rule

To whom does the law apply?

The FTC Health Breach Notification Rule (the “FTC Rule”) applies to foreign and domestic entities (not individual persons) in the following categories:

• “Vendors of personal health records”: These entities “offer or maintain” a “personal health record” (PHR).  A PHR is an electronic record of “identifiable health information” on an individual that can be “drawn from multiple sources,” and that is “managed, shared, and controlled by or primarily for the individual.”

• “PHR related entities”: These entities interact with a vendor of PHR either by offering products or services through the vendor’s website – even if the site is covered by HIPAA – or by accessing information in or sending information to a PHR. In guidance on the FTC Rule, the FTC noted that this category includes “[m]any businesses that offer web-based apps for health information,” citing the example of “an app that helps consumers manage their medications or lets them upload readings from a device like a blood pressure cuff or pedometer” into a PHR. 

• “Third-party service providers”: These entities offer services involving the use, maintenance, disclosure, or disposal of health information to vendors of PHRs or PHR-related entities. They are analogous to business associates under HIPAA.

The FTC Rule does not apply to any covered entity or business associate subject to HIPAA.

What constitutes a “breach”?

The FTC Rule defines a “breach” as the acquisition of unsecured identifiable health information of an individual in a PHR, without the individual’s authorization. The same federal encryption and destruction standards that govern whether PHI is deemed unsecured under HIPAA also govern whether information under the FTC Rule is unsecured.

Who must be notified of the breach, and what information must the notice include?

A vendor of PHR or a PHR related entity must, upon discovery of a breach, notify each individual who is a citizen or resident of the United States whose unsecured health information was acquired by an unauthorized person as a result of the breach. The notice must include the same key information as noted above with respect to a breach notification required by HIPAA.

Additionally, the FTC Rule requires a vendor of PHR or a PHR related entity to notify the FTC and/or the media where there is the same threshold number of affected individuals as noted above under HIPAA’s analog requirements.

Similar to HIPAA’s reporting requirements applicable to a business associate in relation to a covered entity, a third-party service provider must provide notice of a discovered breach to the appropriate designated official, or if none to a “senior official,” of the vendor of PHR or PHR related entity with which the third-party service provider contracts to provide services. The vendor of PHR or PHR related entity must then notify affected individuals, the FTC, and/or the media.

By what means must the breach notice be provided?

The FTC Rule largely mirrors HIPAA with respect to the methods by which a covered entity may provide notification of a breach. Thus, a vendor of PHR or a PHR related entity may notify affected individuals of a breach via written notice, email, or substitute notice.

What is the timeline for providing notice of the breach?

Like HIPAA as it applies to covered entities, the FTC Rule requires a vendor of PHR or a PHR related entity to notify affected individuals and, where applicable, the media of a data breach “without unreasonable delay” and in no case later than 60 calendar days after discovery of the breach. A third party service provider must provide notice of a breach to its contracted vendor of PHR or PHR related entity within the same timeframe. The FTC Rule follows nearly identical standards to HIPAA, as noted above, for determining that a breach is “discovered” and for allowing for a delay in sending a required notification where requested by law enforcement.

With respect to the FTC, a vendor of PHR or a PHR related entity must notify the agency as soon as possible and in no case later than 10 business days after discovery of a breach involving 500 or more individuals. A reporting entity need not notify the FTC of a breach involving fewer than 500 individuals. However, the reporting entity must document each such breach in a log and submit it annually to the FTC, consistent with the parallel HIPAA requirements noted above.

Illinois Personal Information Protection Act

To whom does the law apply?

PIPA applies to “data collectors,” which are entities (not individual persons) that handle, collect, disseminate, or otherwise deal with nonpublic “personal information.” PIPA defines “personal information” to include: (1) an individual’s first name or first initial and last name, in combination with one or more specified data elements, including “medical information” that is “provided to a website or mobile application”; and (2) a user name or email address, in combination with a password or security question and answer that would permit access to an online account. For purposes of PIPA, the foregoing is “personal information” only where the relevant data elements: (3) are not encrypted or redacted; or (4) are encrypted or redacted, but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through a breach.

Like the FTC Rule, PIPA does not apply to any covered entity or business associate under HIPAA.

What constitutes a “breach”?

PIPA defines a “breach” as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. A breach under PIPA does not include “good faith acquisition” of personal information by a data collector’s employee or agent for a “legitimate purpose” of the data collector.

Who must be notified of the breach, and what information must the notice include?

PIPA’s breach notification requirements vary depending on whether the data collector owns or licenses, or merely “maintains or stores,” the information that is breached.

A data collector that owns or licenses the breached information must notify all Illinois residents whose personal information is acquired in the breach following the data collector’s discovery or notification of the breach. The data collector must provide the notice at no charge to affected individuals.

If the breached information includes an individual’s name, the notification must include:

• The toll-free numbers and addresses for consumer reporting agencies;
• The toll-free number, address, and website for the FTC; and
• A statement that the individual can obtain information from these sources about fraud alerts and security freezes.

If the breached information includes an individual’s user name or email address, the notification must include directions for the individual to promptly change his or her user name or password and security question or answer, or other appropriate steps to protect all online accounts for which the individual uses the same user name or email address and password or security question and answer.

With respect to data collectors that merely “maintain or store” but do not own or license breached information, the data collector must notify the owner or licensee of the breach immediately following its discovery. The owner or licensee then bears the responsibility for notifying affected individuals, following the requirements noted above.

In addition to notifying affected individuals, a data collector must report a breach involving more than 500 Illinois residents to the Illinois Attorney General.

By what means must the breach notice be provided?

A data collector may provide notification of a breach to affected individuals through one of the following methods:

• By writing;
• By electronic notice that complies with the federal ESIGN Act; or
• By substitute notice through email, website posting, or external media outlets if the data collector demonstrates that: (1) the cost of providing notice would exceed $250,000; (2) the class of affected individuals to be notified exceeds 500,000; or (3) the data collector does not have sufficient contact information for affected individuals.

What is the timeline for providing notice of the breach?

PIPA does not prescribe a specific timeline for notifying affected individuals of a data breach. Rather, it provides that a data collector must provide the notification in the “most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”

However, upon receiving a written request for a delay from a law enforcement agency, a data collector may delay notification for such period of time as the agency determines necessary to avoid interference with a criminal investigation. In those cases where a data collector also must notify the Illinois Attorney General of the breach, the data collector must provide such notice no later than when the data collector notifies affected individuals.

Contact One of Jackson LLP’s Experienced Healthcare Attorneys Today

A data breach can be extremely disruptive to a business’s operations. The added obligations of having to notify the public about the breach often compound that disruption. 

At Jackson LLP, one of our experienced healthcare attorneys can assist you in determining which data breach reporting laws apply to your business or practice and managing your response to a data breach. We can also work with you to develop legally compliant data management policies and contracts with your vendors and business associates to mitigate the occurrence of a breach. To schedule a complimentary phone consultation with one of Jackson LLP’s healthcare attorneys, click the button below.