In simple terms, security data breaches are when a company vulnerability (technical or non-technical [i.e. employee related]) is exploited and, as a result, access to customer information or other data, applications, or networks is granted to an unauthorized individual. When a breach occurs, depending on the security framework, notification of the security breach is required. This post will explore the requirements for breach notification for both HIPAA and SOC 2.
What is the HIPAA Breach Notification Rule?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created as a way to advance the health care system and implement standards for dealing with electronic transactions that included patient or other health related information. Over the years HIPAA was shaped through different rules. One of these rules included the Breach Notification Rule.
The Breach Notification Rule requires that organizations that are expected to follow HIPAA rules notify their customers in the event of a security breach.
HIPAA defines a breach as, “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” It is important to note that It is not considered a breach if the information that was compromised was not readable. For example, if the information is obtained by an unauthorized source but it was encrypted resulting in information that is not usable, that is not considered a breach. The information compromised must be in a form that is readable and can be exploited to be considered a breach.
HIPAA Breach Notification Plan
If there has been a breach of readable electronic protected health information, the HIPAA Breach Notification requirements should be followed.
- Depending on the breach, companies are required to notify certain individuals and/or entities that a breach has occurred. Notices should be sent to the individuals whose information was compromised.
- If the breach includes less than 500 people the company is not required to provide any other notices unless more than 10 of the individuals affected cannot be reached through the companies first attempt at reaching them because they do not have the most current mailing address.
- If there are 10 or more individuals that cannot be reached, the company is then required to either post the breach on their website for at least 90 days or on a major media outlet to try and get the message out to individuals who may have been affected.
- Notifications to individuals must be completed in a reasonable timeframe but not to exceed 60 days for any reason.
- If the breach included more than 500 individuals, the HIPAA Breach Notification Rule increases the requirement for visibility of the breach. At this point, the company must notify the media as well as the U.S. Department of Health & Human Services (HHS).
- When notifying media outlets, companies must notify major outlets so that the breach can be broadcasted to as many individuals in that area as possible so that individuals can take proper precautions for monitoring. As with individual notifications, media notifications must be completed as soon as possible but not to exceed 60 days.
- Finally, when breaches exceed 500 individuals, companies must also notify HHS no more than 60 days after the breach occurs. HHS maintains a list of breaches that have affected more than 500 individuals. That list can be viewed here. The website provides the following information: name of the covered entity, state, covered entity type, individuals affected, breach submission date, type of breach, and location of breached information.
What Happens if a Breach Occurs by a Business Associate?
A business associate is an organization that has access to a company’s electronic protected health information. If a business associate has caused a breach, the business associate is required to notify the company it is supporting once the breach has been identified.
The Breach Notification Rule requires that the business associate’s notification is as soon as possible but no more than 60 days. This length of time can be defined further in the company’s Business Associate Agreement (BAA) established with the business associate. In fact, setting a reasonable timeframe that a business associate is required to provide their notification, such as 5 business days, is encourage so that companies can take proper action, as required.
SOC 2 Breach Notification Requirements
Unlike HIPAA, SOC 2 does not have a rule with specific requirements as a result of a breach. With that said, SOC 2 does require that organizations be able to provide evidence that breaches are monitored, evaluated, and analyzed until remediation is achieved.
Breaches and security incidents are tested within common criteria 7 or Systems Operations. The specific common criterion reads as follows; the entity evaluates security events to determine whether as a result, the entity could not meet its objectives and if it is determined yes, then the entity evaluates why and how it can be avoided in the future.
To gain an understanding of whether or not the entity accomplished this criterion, the auditor will do a number of different audit tests. These tests may include reviewing policy and procedures in place which detail how security events are identified and responded to, how entities analyze and communicate such security incidents, and finally whether or not an assessment was completed to determine whether personal information was impacted or if there was a breach.
To satisfy this specific criterion, companies should have process documentation in place that defines what a security incident is as well as how the incident is escalated. Security incidents, which should include breaches, should be documented in a centralized repository for easy retrieval so that they can be reviewed and tested to confirm that the proper escalation process was followed. If the security incident includes a breach, a step that the individuals affected were notified should be maintained.
Finally, it’s important to note that security incidents which were the result of a breach are required to be disclosed within the SOC 2 report. At a minimum, the SOC 2 reports must include the nature of the incident, the timing of the incident, and effect the incident had on the entity and its users. For more information on disclosure of incidents, read my other article, New Criteria for SOC 2 Reporting on Cyber & Information Incidents.
Breach Notification Rule – HIPAA and SOC 2 Recap
Breaches are unfortunately becoming more common and as a result, it is important to understand what is required from a company perspective so that proper escalation procedures can occur.
If your company is bound by HIPAA, then it is especially important to understand the laws your company is required to follow. Not following the proper procedures and having safeguards in place can often time result in hefty fines.
If your company receives a SOC 2 report then it is important to have the necessary process documentation and supporting controls in place, which will help identify and escalate security incidents, such as breaches. This will help provide your auditors with the assurance necessary to support the common criteria detailed above.
For more information, check out some of our other articles about breaches as they relate to HIPAA and SOC 2.
- The HIPAA “Wall Of Shame”
- A Summarized Guide to HIPAA Compliance Audits
- What’s the Difference Between the SOC 2 Security and AT 601 HIPAA Security Requirements?
- Out of the Box – Into A Data Breach?
- New Criteria for SOC 2 Reporting on Cyber & Information Incidents
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.