Breach Notification Rule Audit Requirements Phase II Protocol
INTRODUCTION
In this prior
post,
we discussed what the Breach Notification Rule's ("Rule") Audit Protocol requirement was with the Phase I protocol. The Phase II protocol ostensibly adds one more requirement to the Rule, which we highlight below, BUT the significant difference is the language that HHS now uses with respect to what they are demanding for each requirement. Their demands are more detailed and onerous.
This language, we believe, was intended to send a message to the marketplace that the game has changed. Below we review each requirement and its new language. Unfortunately, in some cases, HHS also changed what it named an individual protocol; however, the statutory reference remained the same. We use the statutory reference as a guide to illustrate the changes. Everything new will be in blue to highlight the differences. The name of the new protocol will be in "blue bold" and underlined. As you will see, there are multiple protocols per statutory reference in several cases.
This article also provides an interpretation of what we believe is being asked by HHS. Look for the "Explanation" section after each requirement.
CHANGES TO THE PROTOCOL
§164.402 Risk Assessment of Breach.
Inquire of management as to whether a risk assessment process exists to determine significant harm in a breach.
Definitions: Breach - Risk Assessment
Does the covered entity have policies and procedures for determining whether an impermissible use or disclosure requires notifications under the Breach Notification Rule?
Does the covered entity have a process for conducting a breach risk assessment when an impermissible use or disclosure of PHI is discovered, to determine whether there is a low probability that PHI has been compromised?
If not, does the covered entity have a policy and procedure that requires notification without conducting a risk assessment for all or specific types of incidents that result in impermissible uses or disclosures of PHI?
Obtain and review policies and procedures regarding the process for determining whether notifications must be provided when there is an impermissible acquisition, access, use, or disclosure of PHI.
If the entity does not have a policy and procedure that treats all potential breaches as requiring notifications without conducting a risk assessment, review the covered entity's risk assessment policies and procedures.
Evaluate whether they require the covered entity to consider at least the following four factors:
(i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
(ii) The unauthorized person who used the PHI or to whom the disclosure was made
(iii) Whether the PHI was actually acquired or viewed
(iv) The extent to which the risk to the PHI has been mitigated.
Obtain a list of risk assessments, if any, conducted within the specified period where the covered entity determined there was a low probability of compromise to the PHI. Use sampling methodologies to select documentation of risk assessments to assess whether the risk assessments were completed in accordance with §164.402(2).
Obtain a list of risk assessments, if any, conducted within the specified period where the covered entity determined that the PHI was compromised and notification were required under 164.404-164.408. Use sampling methodologies to select documentation of risk assessments to assess whether the risk assessments were completed in accordance with §164.402(2).
Explanation: First, HHS wants to know if you have a methodology for determining when a Breach is triggered and the corresponding policies and procedures to back that up. Our Breach Notification Framework ("BNF") would satisfy this requirement. Second, HHS assumes that if you don't have policies and procedures in place to determine when a Breach is triggered, then you intend to notify each time there is a presumed breach and they want policies and procedures pursuant to that strategy. In either case you are required to have policies and procedures in place to manage Breach Notification.
Definitions: Breach - exceptions Unsecured PHI
Did the covered entity or business associate determine that an acquisition, access, use or disclosure of protected health information in violation of the Privacy Rule not require notifications under §§164.404-164.410 within the specified period?
* If yes, did the covered entity or business associate determine that one of the regulatory exceptions to the definition of breach at §164.402(1) apply? If yes, obtain documentation of such determination. Use sampling methodologies to select and review documentation that such were completed in accordance with §164.402.
* If yes, did the covered entity or business associate determine that the breach did not require notification, under §§164.404-410, because the PHI was not unsecured PHI, i.e., it was rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified in the applicable guidance? If yes, obtain and review documentation. Use sampling methodologies to select and review documentation that such were completed in accordance with §164.402.
Explanation: First, HHS is attempting to determine if you have an analytical framework in place that you applied to determine that the instant facts are not a Breach because one of the Breach exceptions apply. Second, HHS is attempting to assess whether you did not consider the instant facts a Breach because you have encrypted your PHI using a protocol suggested by the Secretary or something better. In either case you must show documentation; that is, you must show what we call visible, demonstrable evidence ("VDE"). Our BNF provides both the necessary guidance and the VDE to support this requirement. Third, HHS is asking for a list of Risk Assessments you have conducted (notice that HHS is assuming that you have conducted more than one Risk Assessment). This is where Expresso would prove helpful during an audit.
NOTE: It appears that §164.402 was split into two requirements thereby changing the total count to 11 instead of 10. Substantively there are no changes.
§164.404 Notification to Individuals.
Inquire of management as to whether a process exists for notifying individuals within the required time period. Obtain and review key documents that outline the process for notifying individuals of breaches.
§164.404(a) Notice to Individuals
Does the covered entity have policies and procedures for notifying individuals of a breach of their protected health information.
Obtain and review a list of breaches, if any, in the specified period involving 500 or more individuals. Obtain and review documentation of notifications provided to the affected individuals. Determine whether notifications were provided to individuals consistent with the requirements in §164.404(a)(1).
Explanation: HHS' audit protocol, as it relates to the Breach Notification Rule ("Rule"), is largely comprised of a set of "preparedness" requirements. Assuming that notification is triggered, do you have policies and procedures in place to notify the required stakeholders as required by the Rule. For example, do you have model letters for patients, media, and HHS? Do your model letters contain the content required by the Rule? Our BNF provides all that is necessary out-of-the-box.
§164.404 Timeliness of Notification.
Inquire of management as to whether a process exists for notifying individuals within the required time period. Obtain and review key documents that outline the process for notifying individuals of breaches. Verify, if any breaches have occurred, that individuals were notified within 60 days.
§164.404(b) Timeliness of Notification
Were individuals notified of breaches within the required time period? Inquire of management.
Obtain and review the policies and procedures for notifying individuals of breaches and determine whether such policies and procedures are consistent with §164.404, including providing notification without unreasonable delay and in no case later than within 60 days of discovery of a breach.
Obtain and review a list of breaches, if any, in the specified period and documentation indicating the date individuals were notified, the date the covered entity discovered the breach, and the reason, if any, for delay in notification to determine whether all individuals were notified consistent with §164.404(a), (b).
Explanation: Assuming there was a Breach (one or more) you must produce VDE that you provided notification in a timely manner according to the Rule. Essentially, this requires you to have a tracking mechanism of when you first became aware of the Breach (e.g. using our Incident Tracking spreadsheet and other collateral contained in our Security Rule Checklist) and when notification was actually delivered. You Generally have sixty (60) days from the date the Breach was discovered to provide the necessary notification. The number of patient records compromised determines when you have to notify HHS and local media.
§164.404 Methods of Individual Notification.
Inquire of management as to whether a process exists for notifying an individual or an individual's next of kin of a breach. Obtain and review formal or informal documentation that provide the process and method for notifying individuals of a breach and compare it to established performance criteria. Inquire of management of the process for identifying an individual's contact information or next of kin and the process for follow-up when there is insufficient contact information. Obtain and review formal documentation that identifies the methods for providing notification where contact information is insufficient or out-of-date and compare to established performance criteria.
§164.404(d)Methods of Notification
Does the covered entity have policies and procedures for notifying an individual, an individual's next of kin, or a personal representative of a breach? Inquire of management.
Obtain and review the covered entity's policies and procedures for notifying individuals, next of kin, or personal representatives of a breach to determine whether they are consistent with §164.404(d), including the following:
* Do the policies and procedures provide that notice will be provided by first-class mail unless the individual has agreed to receive an electronic notice?
If there is a process for individuals to agree to receive electronic notice, is there also a process to address circumstances where an individual withdraws such agreement?
* Do the policies and procedures provide that the covered entity will send the notification to the next of kin or personal representative where the covered entity has knowledge that the individual is deceased and has the address of the next of kin or personal representative?
* Do the policies and procedures address the provision of substitute notice consistent with §164.404(d)(2), including:
o Alternative means for providing notification to individuals if there is insufficient or out-of-date contact information for fewer than 10 individuals
o If insufficient or out-of-date contact information for 10 or more individuals
- Posting a conspicuous notice on the home page of the covered entity's web site or publishing conspicuous notices in major print or broadcast media in the geographic area(s) where the affected individuals likely reside
-Establishing a toll-free phone number that remains active for at least 90 days.
Did the covered entity determine that there were any breaches within the specified period that required substitute notice? Obtain and review documentation of substitute notices:
1. If insufficient or out-of-date contact information for fewer than 10 individuals, documentation of notice provided by alternative means, such as a log of telephone call
2. if insufficient or out-of-date contact information for 10 or more individuals, documentation of a conspicuous posting on the home page of the covered entity's web site or a copy of conspicuous notices in major print or broadcast media and documentation of a toll-free phone number that remained active for at least 90 days.
Use sampling methodologies to select notifications to be reviewed and verify that the notices include the elements required by §164.404.
Explanation: Here HHS wants to ensure that you have VDE showing that notification will be provided to the right individual. To satisfy this requirement you must have a process in place that ensures your contact information for the patient is correct. If the aforementioned process determines that the contact information is "out of date" then you must provide VDE of a process that allows you to determine when substitute notice is required. The key to satisfying this requirement is to have the requisite organizational processes in place. You must also know that, depending on the number of patient records compromised, the timing and which stakeholder is notified varies.
§164.404 Content of Notification.
Inquire of management to determine if there is a standard template or form letter for breach notification. Verify that, if any breaches have occurred, the notification to the individuals included the required elements of this section.
§164.404(c)(1) Content of Notification
§164.404(c)(1)
Content of Notification
Does the covered entity have policies and procedures for providing individuals with notifications that meet the content requirements of §164.404(c)? Inquire of management; obtain and review policies and procedures. Evaluate if the specifications at §164.404(c) are met.
Inquire of management whether the covered entity has used a standard template or form letter for notification to individuals for all breaches or for specific types of breaches. If the covered entity has used a standard template or form letter for breach notification, obtain and review the document. Evaluate whether it includes this section's required elements.
Obtain and review a list of breaches, if any, in the specified period and documentation of written notices sent to affected individuals for each breach. Use sampling methodologies to select notifications sent to individuals to be reviewed and verify that the notices include the elements required by §164.404(c).
Explanation: This should be self-explanatory. Your model letters and/or other notification collateral must contain the content that the law requires. You simply can't state "Oh by the way there has been a breach" and be done. Hopefully, your organization has either collaborated with counsel to develop model letters and other collateral or has purchased same from a trusted source. The model letters contained in our BNF are Omnibus Rule Ready. There have been no changes to the regulations since then.
§164.406 Notification to the media.
Inquire of management as to whether a process exists for notifying media outlets for breaches of more than 500 individuals' PHI and compare it to established performance criteria. Verify if any breaches of unsecured PHI have involved more than 500 individuals and have required notification of media outlets.
§164.406 Notification to the Media
Does the covered entity have policies and procedures for notifying media outlets of breaches affecting more than 500 residents of a State or jurisdiction? Obtain and review policies and procedures. Evaluate whether the specifications at §164.406 are met.
Obtain and review a list of breaches, if any, in the specified period affecting more than 500 residents of a State or jurisdiction. Obtain and review documentation to verify that the media notifications included the elements required by §164.406.
Explanation: In certain instances, both local and statewide media will need to be notified (and sometimes in multiple states). HHS wants to know if your organization has VDE supporting the fact that you understand when this notification should take place. Our BNF is an example of such documentation. It walks you through the process meticulously, step-by-step, with flowcharts and narrative that illustrate when notification to the media is required. HHS also wants you to demonstrate if you are even aware of what media you should notify. Again, this is a preparedness requirement.
§164.408 Notification to the Secretary.
Inquire of management as to whether there have been any breaches of unsecured PHI and verify that the Secretary was notified. Verify if any breaches of unsecured PHI have involved more than 500 individuals and have required contemporaneous notification to the Secretary. Verify if any breaches of unsecured PHI have involved less than 500 individuals and have required annual notification through the HHS website.
§164.408 Notification to the Secretary
Does the covered entity have policies and procedures for notifying the Secretary of breaches involving 500 or more individuals? Does the covered entity have policies and procedures for notifying the Secretary of breaches involving less than 500 individuals? Obtain and review policies and procedures. Evaluate whether the specifications at §164.408 are met.
Obtain and review a list of breaches, if any, in the specified period involving 500 or more individuals. Obtain and review documentation of notifications provided to the Secretary. Determine whether contemporaneous notifications were provided to the Secretary consistent with the requirement in §164.408. Use sampling methodologies to select notifications to be reviewed and verify that the notices include the elements required by §164.408.
Obtain and review a list of breaches, if any, in the specified period involving fewer than 500 individuals. Obtain and review documentation of notifications provided to the Secretary . Evaluate whether the notifications were provided to the Secretary within 60 calendar days of the end of the calendar year in which the breach was discovered, consistent with the requirement in §164.408. Use sampling methodologies to select notifications to be reviewed and verify that the notices include the elements required by §164.408.
Explanation: First you must be able to show VDE that you understand when the Secretary is notified. The time of notification varies depending on the number of records compromised. If the number of records compromised is greater than or equal to 500 (>= 500) then you have sixty (60) days to notify the Secretary and you will end up on the HHS Wall of Shame, otherwise you must notify the Secretary sixty (60) days after the end of the calendar year. So, you must have VDE showing that you understand both the timing differences and the fact that the Secretary always gets notified. Our BNF provides you the VDE to satisfy this preparedness requirement.
§164.410 Notification by a business associate.
Inquire of management as to whether there have been any breaches of unsecured PHI for a business associate and verify that the covered entity was notified. Obtain the standard business associate agreement to verify that the breach and notification elements are included in the agreement.
§164.410 Notification by a Business Associate
Did the business associate or subcontractor determine that there were any breaches of unsecured PHI within the specified period?
If yes, obtain copies of the notification(s) sent by the business associate (or subcontractor) to the covered entity (or business associate for breaches by subcontractors). Evaluate whether the business associate or subcontractor sent the notifications consistent with the requirements at §164.410. Use sampling methodologies to select notifications to be reviewed and verify that the notices include the elements required by §164.410.
Explanation: First you must understand that a business associate only provides notification to the covered entity, or if the business associate is a sub-contractor of another business associate, then to its next-in-line business associate. You must have VDE that shows you understand the manner in which notification occurs in those instances where the Breach occurred on the "business associate's watch" (i.e. in an information system that the business associate controls). It is always the covered entity who provides notification to external stakeholders (i.e. patients, HHS, and the media). Therefore, it is critical that the covered entity have VDE that shows it has a process in place to get the necessary information from its business associate(s) so it can notify external stakeholders according to law.
§164.412 Law enforcement delay.
Inquire of management as to how notifications are delayed in case of law enforcement requests. Obtain and review documentation of the process to delay notifications in case of law enforcement requests.
§164.412 Law Enforcement Delay
Does the covered entity or business associate have policies and procedures regarding how the covered entity or business associate would respond to a law enforcement statement that a notice or posting would impede a criminal investigation or damage national security?
Has the covered entity or business associate delayed notification of a breach of unsecured PHI pursuant to such a law enforcement statement?
If yes, obtain and review documentation of any such law enforcement statement. Evaluate whether the covered entity or business associate acted in accordance with §164.412. Use sampling methodologies to select notifications to be reviewed and verify that the notices include the elements required by §164.412.
Explanation: You must have VDE showing that law enforcement may, according to law, ask you to delay your notification of stakeholders. The VDE in question needs to show that you understand those instances in which law enforcement may lawfully ask you to delay and which instances they may not. In practice it is recommended that your Breach counsel handle this request.
§164.414 Burden of Proof.
Inquire of management as to whether a risk assessment process exists to determine significant harm in a breach. Inquire of management as to whether a process exists to ensure that all notifications were made as required or that the impermissible use or disclosure did not constitute a breach. Obtain and review documentation of uses or disclosures that were not determined to be breaches and the corresponding risk assessment documentation.
§164.414 Burden of Proof.
NOTE: HHS does NOT make any requests for documents for this requirement. The "protocol" simply states covered entities and business associates have the burden proof with respect to whether Breach Notification was triggered.
Explanation
:
You must have an
in place that walks you through the Breach notification analysis. Assuming you reach Step 3 of that framework, then the covered entity must make a decision as to whether it should notify or not. At this point HHS (i.e. the law) presumes that a Breach has occurred. Therefore, the covered entity bears the burden of proof (i.e. in a subsequent proceeding or audit) of demonstrating that there was a "low probability" that PHI was comprised. The burden is HUGE and counsel should recommend notification UNLESS the evidence is compelling that PHI was not compromised
SUMMARY
What are we to make of all of this? First, there is no reason to panic. There have been
NO SUBSTANTIVE CHANGES to the regulations since the Omnibus Rule (circa 2013) which means that NONE of the underlying requirements of the
Breach Notification Rule has changed. Remember, HHS can only audit you on the requirements contained in the regulations. They can't "make up" new requirements for an audit. For our
Subscribers nothing changes because our
Breach Notification Framework distilled the underlying requirements from the "get-go." If you're relying on other products then you need to ask the right questions. There is no need to guess what HHS might ask you in an audit. If you are compliant with the underlying requirements then you have
visible, demonstrable evidence to satisfy ANY audit question that might come your way.