For healthcare providers and health systems covered by the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), a breach of unsecured protected health information (PHI) likely triggers obligations to notify affected individuals, the federal Office of Civil Rights (OCR), potentially the media and other entities. The breach also may require notification to one or more state Attorneys General, an obligation that depends on state law. Currently, the state data breach notification law in Michigan does not provide for Attorney General notification, something Michigan Attorney General Dana Nessel wants to change, according to reporting earlier this month from the HIPAA Journal.

Spurring the Michigan AG are concerns about the timing of notification to patients about recent breaches involving health systems but which were breaches experienced by downstream vendors. These are important concerns considering the increasing identity crimes and overall data risk individuals face, which can be mitigated to some degree with timely notification. However, health systems and entities in other industries can find themselves caught in a tough spot from a notification perspective when dealing with a breach experienced by a vendor.

On the one hand, quickly putting notification in the hands of individuals about a compromise of their personal data is critical to helping those individuals take measures to protect themselves from ID theft and other harms. Notification may prompt individuals to be more vigilant about their personal information, review credit reports, set up a fraud alert, check their bank statements and other measures to protect themselves from cyber criminals.  On the other hand, as a practical matter, the time between the date the breach occurred (as experienced by a downstream vendor) and the date of notification to patients can be affected by many factors, several of which may be outside the control and sometimes the knowledge of the covered entity. Looking solely to that metric in some cases may not be the most appropriate measure of timeliness to assess a covered entity’s performance and compliance when responding to a breach. If it is a metric upon which enforcement can be based, covered entities may need to revisit their incident response plans and vendor relationships to that timeframe as much as possible.

Let’s unpack this a little.

  • Recall that under HIPAA, a breach must be reported “without unreasonable delay and in no case later than 60 calendar days after discovery.” 45 CFR 164.404(b) (emphasis added).
  • A downstream vendor experiencing a breach of PHI likely is (but not always) a business associate of the covered healthcare provider. Of course, the relationship may not be that close. The vendor may be the subcontractor of the subcontractor of the business associate of the covered entity.
  • The general rule under the HIPAA Breach Notification rule is that business associates are obligated to notify the covered entity of a breach, not the affected individuals. See 45 CFR 164.410(a)(1). When there are multiple layers of business associates, a chain of notification commences where one business associate notifies the next business associate upstream and so on until getting to the covered entity. In many cases, the business associate experiencing a breach may not know what entity or entities are the ultimate covered entity(ies). See more on that below.
  • Under the HIPAA Breach Notification rule, business associates are not obligated to notify affected individuals. That obligation, unless delegated, remains with the covered entity. 45 CFR 164.404(a)(1).
  • The HIPAA Breach Notification rule also provides that when a business associate has a breach it must report “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.” 45 CFR 164.410(c)(1).
  • In some cases, vendors effectively have no access to the PHI that they maintain or store for the ultimate covered entities, but still may be considered business associates. Other similar vendors may fall under a “conduit exception” and not be considered business associates under HIPAA. In either case, they may nonetheless have obligations other than HIPAA (statutory or contractual) to notify their customers of a breach. In these cases, however, the vendors simply may not be in a position to provide critical information upstream, such as identity of the affected individuals.
  • As the reporting of the data breach travels upstream, the covered entity may be completely unaware of the breach. It could be weeks or even months after the breach actually occurred before news of the breach reaches the covered entity. Consider that the vendor that experienced the breach may not have discovered it for some time after the attack happened, further expanding the time between the breach occurring and ultimate notification to patients.
  • Upon discovery of a security incident from a business associate, which already could be long after the breach actually occurred and several layers downstream, the covered entity must initiate its incident response plan. One of the first tasks will be to understand what happened and what data was affected. This news often does not come with a spreadsheet from which the affected individuals could easily be identified. It may instead arrive in the form of a long list of files and folders that contain thousands and thousands of documents, images, records, etc. Many of these items may have no PHI whatsoever. The challenge is to find those documents, images, records, etc. that do, and to pull from those items the individuals affected and the kind of information involved. This process, sometimes referred to as data mining and document review, often is complex, time-consuming, and costly.
  • On completion of the data mining and document review process, the covered entity will begin to have a better sense of the individuals affected, the type of information compromised, the state(s) in which those individuals reside, etc. At this point, covered entities will work quickly to arrange for notification to individuals, the OCR, and, if applicable, the media, state agencies, others. 

There is no doubt that breach notification laws serve an important purpose, namely, to alert affected individuals about a compromise to their sensitive data so that they can take steps to protect against ID theft and other risks. However, the promptness of notice can and often is hampered by factors outside of the covered entity’s control, particularly if the measure of promptness is the time between the date the breach occurred (regardless of what entity experienced the breach) and the date of notification to individuals.

All that being said, there may be some ways that covered entities might tighten up this process. One consideration, of course, is to adopt, regularly assess, and practice an incident response plan. Another is to have a more granular understanding of the data certain vendors are handling for the covered entity. Still another consideration is to revisit the entity’s vendor management program. Looking more closely at downstream service providers beyond direct business associates might be helpful in assessing the notification process and timing should a breach take place downstream. Having more information about downstream vendors, their roles, and the data they process may serve to shorten the notification timeline. Ultimately, even if there is a delay downstream, before the covered entity discovered the breach, a well-executed incident response plan, one that results in a shortened timeframe between discovery and notification, could help to improve the covered entity’s defensible position whether facing a litigation or government agency enforcement action.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.