Q&A: On the delicate dance of data breach notification
The proliferation of mobile devices, in combination with the addressable encryption standard under HIPAA, has created something of a data breach nightmare for hospital and public health department CIOs. The trickiest part: Deciding when to issue breach notifications, and knowing when not to.
Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, frequently helps clients craft breach notifications. Government Health IT spoke with Belfort about avoiding notification fatigue, accounting disclosures and the existing uncertainty while the industry awaits the final rules.
Q: What are the heartiest challenges hospital and public health department CIOs face in terms of privacy and security?
A: One big challenge is the proliferation of mobile devices and the accessing of data on a wider array of portable devices. If you look at the reported breaches that have been submitted to HHS a fair number of them involve portable media devices. Lost laptops, lost CDs, lost phones, things like that. And part of the problem is that the encryption standard under HIPAA has been an addressable standard, meaning it’s not a hard and fast requirement, rather it's supposed to be something that providers assess their ability to comply with and comply with if feasible but it’s not an absolute requirement and that has created some opportunity in organizations for people to take the obligation to encrypt on mobile devices maybe less seriously. It continues to amaze me to see reported breaches involving lost laptops, CDs or thumb drives when encrypting the data on those devices is not difficult and encrypting it insulates you from having to do breach notification. That is still a pervasive problem so securing information on portable and mobile devices would up near the top of my list for challenges for CIOs.
Q: And it almost sounds like, dare I say it facetiously, ‘two great tastes that taste great together.’ The proliferation of mobile devices alone poses great security risks and HIPAA addressable encryption standard just compounds that.
A: They are two issues, to an extent. There are devices that are not hard to encrypt, like a laptop, where the technology is there and it’s just being implemented unevenly. And then there are new types of transmissions, like smart phone transmissions, where at least with respect to the information the technology for encryption is still evolving and there may not always be a perfect solution out there. So I think you’re right, it’s the combination of those things that is causing a lot of headaches.
Q: And then there’s the uncertainty about what actually constitutes a breach and, as such, warrants a notification.
A: The industry is still waiting to see what HHS does in the final rule on breach notification. As you may know there was an interim rule issued a while ago, that imposed this ‘significant risk of harm’ standard and there was a lot of controversy around that. HHS announced it was going to be issuing a new rule but it never did that and so we’re still waiting to see if that standard is going to be changed and, if so, how. I think it’s a very hard concept to work with in practice not only on the risk of harm but also in really deciding whether a breach has occurred in the first place, whether unauthorized access has even occurred.
Sometimes it’s not clear whether information has been accessed. There may be a vulnerability that was discovered and it’s unclear whether the vulnerability was exploited or data might be lost in same way but the circumstances suggest it wasn’t accessed by anyone. And I get a lot of these calls about assisting clients in making determinations of whether a breach has occurred. The combination of having to figure out if the information was actually accessed by somebody and, if so, whether there’s a significant risk of harm is a big challenge and in the past healthcare providers were largely airing on the conservative side of designating incidents as breach even if there was a reasonable argument that it didn’t meet that standard because there is a fear of being penalized for not doing that notification. But I’m wondering if that is going to shift some as the negative consequences of doing notification start to materialize, like the class action lawsuits that have popped up after breach notification has occurred, or the government penalties being opposed in investigations following up on notifications. A big challenge is figuring out where to draw that line about doing notification and when a set of facts taken as whole really qualifies as a breach. It’s not an easy decision to make in some cases.
Q: You mentioned negative consequences of notification; what might those be? Is there a downside to revealing too much, or too soon?
A: One of my biggest concerns with incessant notification is you get into notification fatigue on the consumer side. If you start to receive so many of these notices – and I’m among the people who have to try and craft the language that properly balances alerting consumers with not unduly scaring them – you get these letters saying ‘Well, there’s been this incident but we have no evidence suggesting your information has been access or misused.’ There’s just so much time people can devote to dealing with these things and when you get a lot of these notices, you start to tune them out and then when the real incident that should concern consumers actually occurs, it’s hard for them to distinguish between that situation and one where they’re getting a notification just so that an organization can protect itself from a claim that it didn’t notify. I think there’s a downside to excessive notification with respect to the impact on consumers. From a policy standpoint, it’s important to really draw the line in the right place and make sure we’re notifying people when they really have cause for concern, not when the likelihood of a problem is so low that the vast majority of people would decide not to do anything about it.
Q: Are there other facets of this that I ought to have asked about but did not?
A: Another area where there’s been a lot of discussion in the industry that’s also supposed to be covered under some new rulemaking by HHS is the accounting of disclosures requirement. Historically, the accounting requirement is the requirement that organizations track certain disclosers of information and then if a patient requests an accounting the health organization has to give them a list of who their information has been disclosed to. That has always been a frustrating requirement for many providers because it’s very rare that patients actually request an accounting and there’s a lot of infrastructure necessary to do the accounting and it doesn’t get utilized very often from a consumer standpoint. That’s always been one of the least favorite provisions of the law. So then in HITECH, Congress significantly expanded the accounting requirement by requiring organizations to track even the routine disclosures that were previously exempt from the accounting requirement, so that triggered a lot of negative reaction from the industry. And then, in its proposed rule, implementing the HITECH provision, HHS went beyond the statute and actually required tracking of disclosures not only to outside organizations but internal access by employees of the organization for routine purposes. A requirement that was not popular to begin with is now becoming even less popular because of the additional obligations imposed both by Congress and HHS, at least in the proposed rule. So there’s been a lot of concern about how effectively organizations can do that kind of tracking and comply with this requirement and we’re waiting to see whether the proposed rule gets modified at all.
Q: So if we flip that whole scenario around to the patients’ viewpoint some would say there is a strong argument to be made that all of that really is necessary.
A: There are two points of view on this issue. There are consumer advocates who believe that even if very few patients request an accounting, it’s most likely patients will request it if they think their information has been diffused and even if that only happens in rare circumstances it’s important for patients to have the right when those instances of actual or suspected diffuse occur and so there’s just no avoiding the fact that you have to track one million patients to make sure that in the three cases where the patient is really concerned you can actually give them an accounting. I do understand that perspective but there’s a cost-benefit analysis about whether the expense of doing all the tracking and reporting is the best use of healthcare system dollars at this point given all the competing demands to spend money on clinical care and reduce cost overall. There’s two sides to it, from the industry standpoint, there are many people thinking it’s not a wise use of money to do this.
We're all waiting to see how these new rules come out.