For healthcare providers and health systems covered by the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), a breach of unsecured protected health information (PHI) likely triggers obligations to notify affected individuals, the federal Office of Civil Rights (OCR), potentially the media and other entities. The breach also may require notification to one or more state Attorneys General, an obligation that depends on state law. Currently, the state data breach notification law in Michigan does not provide for Attorney General notification, something Michigan Attorney General Dana Nessel wants to change, according to reporting earlier this month from the HIPAA Journal.

Spurring the Michigan AG are concerns about the timing of notification to patients about recent breaches involving health systems but which were breaches experienced by downstream vendors. These are important concerns considering the increasing identity crimes and overall data risk individuals face, which can be mitigated to some degree with timely notification. However, health systems and entities in other industries can find themselves caught in a tough spot from a notification perspective when dealing with a breach experienced by a vendor.

On the one hand, quickly putting notification in the hands of individuals about a compromise of their personal data is critical to helping those individuals take measures to protect themselves from ID theft and other harms. Notification may prompt individuals to be more vigilant about their personal information, review credit reports, set up a fraud alert, check their bank statements and other measures to protect themselves from cyber criminals.  On the other hand, as a practical matter, the time between the date the breach occurred (as experienced by a downstream vendor) and the date of notification to patients can be affected by many factors, several of which may be outside the control and sometimes the knowledge of the covered entity. Looking solely to that metric in some cases may not be the most appropriate measure of timeliness to assess a covered entity’s performance and compliance when responding to a breach. If it is a metric upon which enforcement can be based, covered entities may need to revisit their incident response plans and vendor relationships to that timeframe as much as possible.

Let’s unpack this a little.

• Recall that under HIPAA, a breach must be reported “without unreasonable delay and in no case later than 60 calendar days after discovery.” 45 CFR 164.404(b) (emphasis added).
• A downstream vendor experiencing a breach of PHI likely is (but not always) a business associate of the covered healthcare provider. Of course, the relationship may not be that close. The vendor may be the subcontractor of the subcontractor of the business associate of the covered entity.
• The general rule under the HIPAA Breach Notification rule is that business associates are obligated to notify the covered entity of a breach, not the affected individuals. See 45 CFR 164.410(a)(1). When there are multiple layers of business associates, a chain of notification commences where one business associate notifies the next business associate upstream and so on until getting to the covered entity. In many cases, the business associate experiencing a breach may not know what entity or entities are the ultimate covered entity(ies). See more on that below.
• Under the HIPAA Breach Notification rule, business associates are not obligated to notify affected individuals. That obligation, unless delegated, remains with the covered entity. 45 CFR 164.404(a)(1).
• The HIPAA Breach Notification rule also provides that when a business associate has a breach it must report “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.” 45 CFR 164.410(c)(1).
• In some cases, vendors effectively have no access to the PHI that they maintain or store for the ultimate covered entities, but still may be considered business associates. Other similar vendors may fall under a “conduit exception” and not be considered business associates under HIPAA. In either case, they may nonetheless have obligations other than HIPAA (statutory or contractual) to notify their customers of a breach. In these cases, however, the vendors simply may not be in a position to provide critical information upstream, such as identity of the affected individuals.
• As the reporting of the data breach travels upstream, the covered entity may be completely unaware of the breach. It could be weeks or even months after the breach actually occurred before news of the breach reaches the covered entity. Consider that the vendor that experienced the breach may not have discovered it for some time after the attack happened, further expanding the time between the breach occurring and ultimate notification to patients.
• Upon discovery of a security incident from a business associate, which already could be long after the breach actually occurred and several layers downstream, the covered entity must initiate its incident response plan. One of the first tasks will be to understand what happened and what data was affected. This news often does not come with a spreadsheet from which the affected individuals could easily be identified. It may instead arrive in the form of a long list of files and folders that contain thousands and thousands of documents, images, records, etc. Many of these items may have no PHI whatsoever. The challenge is to find those documents, images, records, etc. that do, and to pull from those items the individuals affected and the kind of information involved. This process, sometimes referred to as data mining and document review, often is complex, time-consuming, and costly.
• On completion of the data mining and document review process, the covered entity will begin to have a better sense of the individuals affected, the type of information compromised, the state(s) in which those individuals reside, etc. At this point, covered entities will work quickly to arrange for notification to individuals, the OCR, and, if applicable, the media, state agencies, others. 

There is no doubt that breach notification laws serve an important purpose, namely, to alert affected individuals about a compromise to their sensitive data so that they can take steps to protect against ID theft and other risks. However, the promptness of notice can and often is hampered by factors outside of the covered entity’s control, particularly if the measure of promptness is the time between the date the breach occurred (regardless of what entity experienced the breach) and the date of notification to individuals.

All that being said, there may be some ways that covered entities might tighten up this process. One consideration, of course, is to adopt, regularly assess, and practice an incident response plan. Another is to have a more granular understanding of the data certain vendors are handling for the covered entity. Still another consideration is to revisit the entity’s vendor management program. Looking more closely at downstream service providers beyond direct business associates might be helpful in assessing the notification process and timing should a breach take place downstream. Having more information about downstream vendors, their roles, and the data they process may serve to shorten the notification timeline. Ultimately, even if there is a delay downstream, before the covered entity discovered the breach, a well-executed incident response plan, one that results in a shortened timeframe between discovery and notification, could help to improve the covered entity’s defensible position whether facing a litigation or government agency enforcement action.