Each of these factors must be addressed and documented in order to avoid sending out a breach notification (if appropriate). A notification can be sent out without performing the risk assessment, but the costs of notification will usually be higher than the costs of a risk assessment. The primary difference is that HHS now sets out specific factors that all entities must consider in the risk assessment, instead of relying on the entities’ own judgment. It still leaves open the results of that risk assessment and whether the risk to an individual is “low” or not.
Another interesting fact (but not change) to note about the Breach Notification Rule is that covered entities are ultimately responsible for notifying individuals. They can contract that task out to the business associate that “caused” the breach, but ultimately, HHS is going to hold the covered entity responsible for notification in a timely manner.
The HHS’ definition of “timely manner” is that the covered entity has 60 days to notify folks from the first day the breach is known “or by exercising reasonable diligence would have been known”. When business associates are involved the timeframes may change. If the business associate is acting as an agent for the covered entity, then final notification to folks must happen within 60 days from when the business associate discovers the breach. If the business associate is not acting as an agent (according to Federal common law of agency), then the covered entity has 60 days from when the business associate notified them. At the same time, the business associate has 60 days to notify the covered entity once it discovers a breach. This extends the possible notification time frame to 120 days.
To ensure the “timely manner” is not violated, covered entities will need to ensure that their business associate agreements/contracts include what the expected time frames and responsibilities are. Does the business associate have to notify the covered entity for every suspected breach and let the covered entity perform the risk assessment? Or will the business associate perform the risk assessment to determine if they should notify the covered entity? How long does the business associate have to notify the covered entity – especially in cases of agency? Who will pay for/execute the notification process? All of these questions (plus some) will need to be addressed in the contract between the two.
The final piece of interesting information from a security/audit perspective is the definition of “reasonable diligence” to have known about a breach. It’s defined in the Enforcement Rule explicitly as “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances”. As someone who is down in the trenches with discovering attempted (and successful) attacks, what is care and prudence? If big company X with 250,000 employees has a new fancy IDS and SEIM system, does that mean that the small doctor’s office with maybe 10 people has to have the same system? They both need to be aware of breaches if they occur, but the resources available to each are vastly different. Does this require smaller companies to outsource a lot of their IT to companies that can support that type of system? I don’t think that this has been answered yet – and I think that asking a small company to provide the exact same type of auditing capabilities as a large company is unreasonable (but it is not unreasonable for smaller organizations to provide something to detect a compromise).
No matter the size of the Organization, CompuTech City can assist medical practices of all sizes with their risk assessment, HIPAA compliance audit, and IT security needs. Although the cost of compliance requires a financial investment by the practice, that invest pales in comparison to the civil penalties and potential litigation costs associated with a breach.