Guidance Needed on 'Risk of Harm'AHIMA's Rhodes Calls for Breach Notification Clarification
"Whenever there is new legislation or new regulations, people always go, 'Just tell me what to do,'" Rhodes says in an interview with HealthcareInfoSecurity.com's Howard Anderson (transcript below).
The "risk of harm" assessment, also known as the harm standard, requires that organizations determine whether a breach incident actually resulted in "financial, reputational or another type of harm" to individuals and thus must be reported, Rhodes notes. But just what's required when making that assessment is somewhat unclear, he contends.
Nevertheless, hospitals and others cannot afford to wait until the final version of the breach notification rule is issued before devising a comprehensive plan for investigating a breach and then notifying those affected, Rhodes stresses. "The interim final rule is still in effect. You still have to comply with it. You can't sit around and wait until it goes final. Your organization is having breaches right now, and you need to deal with these breaches."
Being involved in a security incident and responding to a breach "is a very emotional process," Rhodes notes. "You need to have something that gives you a formal, grounded, repeatable process ... a logical way to move through it. ... There have been lots of incidents where an emotional response or an immediate response or a rushed response backfired on an organization. ..."
In the interview, Rhodes also:
- Cautions that being prepared to conduct a "risk of harm" assessment should be just one component of a broader security governance and compliance program that includes monitoring and auditing for security breaches; and
- Advises organizations to take advantage of risk analysis tools from the North Carolina Healthcare Information and Communications Alliance and the HIPAA Collaborative of Wisconsin.
The interview was conducted after Rhodes' presentation at a HIPAA security conference co-sponsored by the HHS Office for Civil Rights, which enforces the breach notification rule, and the National Institute of Standards and Technology.
At AHIMA, an association for health information managers, Rhodes specializes in professional practice guidelines. Before joining the association, he served as director of medical information services at Columbia/HCA Presbyterian Hospital in Oklahoma City.
HOWARD ANDERSON: For starters, can you briefly describe the harm standard in the Breach Notification Interim Final Rule, so people have that baseline.
HARRY RHODES: The provisions of the Breach Notification Interim Final Rule say that when you have a security incident, before you determine whether or not it is a reportable incident that requires a breach notification, you have to do a "risk of harm" assessment. You have to use a forensic mechanism to determine whether or not the incident actually resulted in financial, reputational or another type of harm to the individuals. If it did, then you proceed with the breach notification process, notifying the individuals and ... HHS [The Department of Health and Human Services' Office for Civil Rights].
Assessing Risk of HarmANDERSON: Can you highlight for us a few of the key steps healthcare organizations should take to make sure they are doing an adequate assessment of the risk of harm after a breach incident and are complying with the rule's requirements?
RHODES: One of the key things is that the breach notification process and the risk of harm assessment ... are part of a more complete security, governance and compliance model for an organization. You really need to have a process in place so that you are monitoring and auditing for the potential of a security breach. A lot of times what you find out is that people don't even realize that a breach has occurred because they are not doing the forensic investigation; they are not doing the auditing. So that is the first thing you have to have in place.
Then, once you discover that a security incident has occurred, you need to have some sort of formal process that includes formal documentation, and the documentation has to be consistent because you are going to need to keep this documentation and you're going to need to rely on it as you go forward in dealing with the breach and responding to it. Also, later on, should you ever get audited, you are going to need to recall the information, and it could be years afterward that the incident comes up again. You also need to use this documentation for educational purposes in developing your policies and procedures and refining your actions. So you need to have a formal [risk assessment] tool.
Then it's really important to have some sort of a risk assessment ranking so that you can determine whether or not this was an accidental, unintentional breach; or whether it [involved] curiosity or [was] deliberate; or if it was motivated by financial gain. ... You need to have some sort of mechanism so when you are looking at this, you're not just going on your gut reaction.
Being involved in a security incident, responding to a breach and determining the risk of harm is a very emotional process, and everybody is really upset about it. People don't want to talk about it. They wish it would go away. There's a lot of emotion there, and you need to have something that gives you a formal, grounded, repeatable process - a logical way to move through it - so you're not just responding to it. There have been lots of incidents where an emotional response, an immediate response or a rushed response backfired on the organization. Then you're in a bigger mess than you were before.
Assessment ToolsANDERSON: I understand there are some free tools to help with all this that people can take advantage of. Can you tell us about some that might be helpful?
RHODES: There are quite a few out there ... One is the North Carolina Healthcare Information and Communications Alliance Tool. The NCHICA Tool ... [includes] a standardized form for documenting and it's as objective as possible. And it's repeatable and there isn't a lot of subjectivity in there. It's very straight forward. There is a check list. There is a flow chart. Also, there are metrics ... so you can determine what level the incident was ... Was it an unintentional accident, was it curiosity or was it intentional for gain? It's a really great tool ...
The other one that I'm familiar with ... is the HIPAA Collaborative of Wisconsin, or the HIPAA COW. This one is even more detailed and it has many of the same things you find at the NCHICA site. There are documentation forms. There is a check-list. There is a flow chart for the process. There is a ranking system. But in addition ... there are actually some model breaches. The idea there is that you can learn from ... a lot of people's mistakes before you. There are some model letters. There are some talking points when you are talking to the media, a model letter to the media and talking points when you are talking to the patient. The HIPAA COW has the tools plus a whole lot of other resources there that are available.
Both of those are really a great place to start if you're trying to refine your policies or procedures, or if you are trying to develop them.
Harm Standard Changes?ANDERSON: Do you expect a final version of the breach notification rule, which is still pending, will wind up modifying or even eliminating the harm standard?
RHODES: I really hope not. At AHIMA, we looked at the 44 states that have state laws where you have to report an electronic business [not healthcare] record breach. And in the majority of those states, what happens is you identify that you had a security breach and then you immediately contact the attorney general's office, the state police or state health department. Then they actually do the forensic investigation to determine what the level of harm is.
What concerns me about that is you lose control of the assessment ... and you are counting on somebody else who is an outsider looking in at your organization to tell you whether or not you've had a breach and here is what you're going to do about it. What I like about the [federal] risk of harm assessment is that you're ... looking at what your organization does. ... you know what your problems are and you know where your weak areas are. If you don't know, then going through the assessment process helps you to define that and understand that, and it actually helps you to improve and then you determine whether or not the breach harmed the patient financially, reputationally or otherwise. Keeping it in the organization and having you go through the assessment process is really healthy. It improves your security governance, safeguards and compliance process within your organization.
Harm Standard GuidanceANDERSON: Do you think the harm standard needs to be clarified at all?
RHODES: When I go around the country and talk to a lot of people that are trying to do this, they would like to have guidance. Whenever there is new legislation or new regulations, people always go, "Just tell me what to do." There are people out there that would like some guidance. They are very concerned because they may have a process in place; they may be going through and documenting the process; and they may have tools, assessments, rankings and flow charts. But are they documenting enough? Are they doing enough? Are they doing the right thing? Are they over-reporting and the guy down the street is under-reporting? Are they going to spend years and years doing these risk of harm assessments, and documenting them well and then one day they get audited, for whatever reason, by the state or federal government, and find out they have been doing it wrong all these years? They may have been leaving out a step that someone else thinks is important, but they may have thought it wasn't as important.
I would like to see the HHS Office for Civil Rights send out more guidance. Back when the HIPAA Privacy Rule first came out, they had guidance that was available on the OCR site, where you could go and look at a lot of the provisions of the HIPAA Privacy Rule. You could get a better idea of what the expectation was. I would like to see OCR do that same thing on their website - give you some expectations of what you should be doing with the risk of harm assessment.
Time for ActionANDERSON: Because there is uncertainty over potential changes in the final version of the breach notification rule, should that affect your breach assessment strategy, or do you need to be pushing ahead?
RHODES: The interim final rule is still in effect. You still have to comply with it. You can't sit around and wait until it goes final. Your organization is having breaches right now, and you need to deal with these breaches. You have state laws that you have to [comply with] ... Now there are only about three states that require reporting for breaches of protected health information. ... But it won't be long before the rest of the states will also be requiring you to report protected health information breaches as well.
I don't think you can wait. You need to get started now, because if not, you're going to be behind the curve trying to catch up. There are people out there that are just not going to do anything. They are just going to wait and see. I've spoken to some of them, and I try to make them see the light that they need to get started now. But there are people that think the whole thing just might go away.
My advice is, there's an obligation that's in the HIPAA Security Rule right now that you investigate, mitigate and document breaches and what your response is. There already is a HIPAA requirement that you do something. Waiting for the breach notification final rule is unnecessary.