You are: a New York State healthcare provider, a health plan or a healthcare clearinghouse, or you are a business associate or vendor that handles New York State patient information for a healthcare provider, a health plan or a healthcare clearinghouse.
For breach notification purposes you are: a "covered entity" or a "business associate" of a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)1and you are also a company “conducting business in New York State” or, in some cases a “State entity” such as a State-managed healthcare facility, under the New York State Information Security Breach and Notification Act.2
As of September 23, 2009, you are subject to: the U.S. Department of Health and Human Services (HHS) Interim Final Rule (HHS Rule), effective September 23, 2009, 3 which establishes notification requirements for healthcare related breaches as well as the 2005 New York State Information Security and Breach Notification Act 4 which sets out specific breach notification requirements for all companies conducting business in New York State as well as State entities.
Your problem: Going forward, when your organization has a data security breach incident you will need to gather facts appropriate to both sets of breach notification requirements to assist your legal counsel in determining whether notification is required under the HHS Rule or the New York State Information Security and Breach Notification Act, or both.
Where you start: Your organization has just experienced a data security breach (possibly requiring notification to patients and government agencies), and you‘ve taken steps to contain the harm (e.g., isolated or closed a compromised portion of your network, located a lost laptop or computer tape, changed building access codes and/or door locks, etc.). You’ve also determined who needs to be made aware of the incident. If there was possible criminal behavior involved, the police have been notified and a report filed. Finally, you’ve made sure that all the evidence you will need is preserved to help you with your broader security investigation and your legal counsel’s breach notification assessment.
To facilitate your counsel's assessment, you will need to gather certain facts. The New York State Department of State Division of Consumer Protection suggests that you simplify your inquiry by organizing it around the following questions:
QUESTION 1 : WHAT TYPES OF DATA WERE INVOLVED?
The two different notification schemes are based on different characterizations of your patients' information. Under the HHS Rule, the operative definition is "protected health information" (PHI) which refers to individually identifiable health information that is transmitted or maintained in any form or medium, including but not limited to electronic information. 5
Under the New York State Information Security and Breach Notification Act, the operative definition is "private information" which means computerized data including personal information such as a name in combination with another data element such as a Social Security number, a driver’s license number, or a bank or credit card number with a password or access code.6
Thus, you should make a checklist to identify whether the incident involved data such as the patient’s name, Social Security number, driver’s license number, bank account or credit card number, account or card PIN, access or security code, health information and/or other individually identifiable information, and in what format (i.e., electronic or paper) the information had been maintained. Your checklist may reveal that one or both of these data groups is encompassed by your incident. For example, a breach of electronic records involving a combination of the patient’s name, Social Security number and protected health information could require notification under both the New York State Information Security and Breach Notification Act and the HHS Rule. Provide your checklist to your legal counsel for analysis.
QUESTION 2 : WAS THE INCIDENT A BREACH REQUIRING NOTIFICATION?
For the HHS Rule, your counsel will need to know: (i) whether the breach constituted an impermissible disclosure or use under the HIPAA Privacy Rule or the HIPAA Security Rule; (ii) whether the PHI was “secured”; and, (iii) whether the impermissible use or disclosure constitutes a significant risk of harm to the individual. To assist in this analysis, you should provide the following facts:
- Impermissible disclosure or use: Was there a disclosure to or a use by someone who was not authorized to acquire the PHI? It could be an employee, an agent of the organization or an outside party.
- Was PHI "secured": Was the electronic PHI encrypted or the paper PHI destroyed in a manner that rendered it “unusable, unreadable or indecipherable to unauthorized individuals”? If there was encryption or destruction, you should find out as much detail as possible so your counsel can determine whether or not the PHI was “secured” according to the HHS standard. If it was, then it will not be necessary to notify patients or government agencies about the breach.
- Significant risk of harm to the individual: Under the HHS Rule, patient notification will be required only in cases where the breach “poses a significant risk of financial, reputational or other harm to the individual.” In order for your counsel to assess whether your incident meets this “harm” threshold, you need to gather all the relevant facts related to risk especially whether the recipient of the improper disclosure was another “covered entity” or a non-covered entity, the type and amount of information improperly disclosed (e.g., whether a patient received services at a facility versus the nature of the condition or illness for which the patient received services), whether the improperly disclosed information had been returned and whether such information could be the subject of a further disclosure. Be as specific as possible in the facts you gather for your counsel’s “harm’’ assessment.
Under the New York State Information Security and Breach Notification Act, significant harm is presumed by virtue of the type of unencrypted data breached, i.e., “private information” such as individual Social Security numbers, financial account information which carry a high risk of identity theft. Therefore, you will still need to provide patient notification no matter what the conclusions are reached with respect to the “harm” assessment of the PHI breach. However, the facts you gather for your counsel’s “harm” assessment may assist in crafting an effective notification under the State law that puts the incident into a clear and easily understandable light for the New York State agencies (Attorney General’s Office, Office of Cyber Security, New York State Department of State Division of Consumer Protection) and for the consumers that need to be notified.
QUESTION 3 : DO ANY LEGAL EXCEPTIONS APPLY?
Under the HHS Rule, your organization will not be required to notify either patients or government agencies if certain legal exceptions apply. These exceptions address low-risk situations where there may have been only a very limited initial exposure of the information and there is no further exposure. If an employee or an agent of your organization obtained the information unintentionally and in good faith in the course of performing employment duties or within the professional relationship, and there was no further use or disclosure beyond this unintentional acquisition, then your organization might be able to avoid notification under a “good faith exception.” Additionally, the HHS Rule provides for exceptions when there has been an inadvertent disclosure between similarly authorized personnel or within the same facility, or a disclosure in which an unauthorized person to whom the information has been disclosed would not have been able to retain the information. If one of the exceptions applies, then it will not be necessary to notify patients or government agencies about the breach.
The New York State Information Security and Breach Notification Act also provides for a “good faith” exception similar to the HHS exception above. The critical factor in all of these exceptions is that there is no further disclosure or use of the information beyond an initial disclosure which, while improper, had been done inadvertently or unintentionally. Your legal counsel will need to determine whether your facts fit any of these exceptions as well.
Your counsel will determine whether there has been a breach sufficient to trigger the notification requirements of the HHS Rule, the New York Information Security and Breach Notification Act, or both. If both, your counsel should be able to craft a single patient notification letter explaining the incident which satisfies both federal and State notification requirements. Your counsel will also explain whether federal or state government agencies must be notified and how the organization should make these notifications. The Division intends on updating its security breach resources and its guidance as legal requirements evolve.
- For further information, please visit http://www.hhs.gov/ocr/privacy/hipaa/understanding/.↑
- The New York Information Security and Breach Notification Act amends the General Business Law (Section 899-aa) and the State Technology law (Section 208). For more information, please visit http://www.cscic.state.ny.us/security/securitybreach/.↑
- "Interim Final Rule" available at http://www.hhs.gov/ocr/privacy/.↑
- See, e.g., security_breach_business pdf.↑
- For further HIPAA details, see http://privacy.med.miami.edu/glossary/xd_consent.htm. HIPAA regulations define PHI as "any information, whether oral or recorded in any form or medium" that "is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and "relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual." Note that the definition of PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act. It also excludes employment records held by a covered entity in its role as employer. See 45 CFR 160.103; 45 CFR 164.501. ↑
- For the New York State definitions, see Section 899-aa (1b) of the General Business Law and Section 208 (1a) of the State Technology Law.↑