Dealing with sensitive protected health information (PHI) is no simple task. At any point along the spectrum of patient care—from initial diagnosis to billing—PHI is vulnerable to unauthorized disclosure. So, what’s an organization to do when faced with a privacy incident?
Before firing off a press release, it’s important to assess the situation. Remember, all breaches begin as incidents, but not all incidents turn into breaches—a critical distinction. An incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI. A breach, on the other hand, is the acquisition, access, use, or disclosure of PHI that poses a significant risk of financial, reputational, or other harm.
It is that “significant risk” that puts an organization in the U.S. Department of Health and Human Services Office for Civil Rights (OCR)’s line of sight. Every incident (or breach) is different, but the nine steps to take during an OCR investigation are the same. Especially if you seek a positive outcome:
1. Learn your HIPAA status: Only organizations subject to HIPAA regulations—covered entities and business associates—are of interest to OCR. For smaller providers or downstream contractors, it’s not always easy to determine HIPAA status. Legal advice is a must. One thing to keep in mind: because the HITECH Act extends the HIPAA regulations to business associates, the scope of culpability has widened to seemingly unrelated businesses or providers. Know where your organization stands.
2. Get HIPPA/HITECH compliant. The laws surrounding PHI data privacy are complex and evolving. Organizations must have policies and procedures in place that help them adhere to these regulations before, during, and after an incident. This creates a defensible position in the face of an OCR investigation. (In the breach world, we call this establishing a burden of proof.) Some tips:
• Create or purchase a software tool for documenting all events—incident or breach—consistently.
• Document the methodology for determining if an incident is indeed a breach and if notification is required.
• Indicate in your policies and procedures what determines a breach. It should be clearly documented what triggers a “notifiable” event. Maybe there are certain data elements particularly vulnerable or sensitive that are specific to your business.
• Create an incident response plan (IRP). An IRP serves as the baseline for a defensible response, allowing providers to react to complaints or data breaches in a timely, methodical, and documented way.
3. Get help. This is no time to go it alone. Smart executives call in appropriate legal counsel before saying a word to investigators. Attorneys should be current on data breach notification laws and have practical experience in dealing with HIPAA and HITECH matters. An integrated services provider can help orchestrate an appropriate response that assures compliance with the HITECH Breach Notification Interim Final Rule and other laws.
• Expert help is especially crucial when it comes to the who and how of notification. Affected patients, HHS/OCR, the media, state Attorneys General, and other state regulatory authorities have specific notification requirements. An integrated services provider can manage the communication and notification strategies, ensuring the right audience receives the right message at the right time.
• A plan for mitigating harm to affected patients is another factor. Deciding who to help and how to help them can be tricky. Is credit monitoring enough? What about medical identity monitoring? Identity recovery services? Remember the possible civil AND criminal consequences—and plan accordingly.
4. Determine who is financially responsible. Data breaches are costly, but an organization can find ways to offset expenses. For instance:
• Have legal counsel look for applicable provisions in agreements that shift the risk to a business associate or other party. Other laws or indemnity may also apply.
• Seek cyber liability and data breach insurance, but carefully review what is covered and how services are delivered. Some underwriters provide you with a great deal of flexibility in managing a data breach incident and vendor selection. Others will require that you use their team and that they control the process. So carefully review your organization’s culture and requirements along these lines before selecting a policy.
• If, after due diligence, an organization will still have to “pay up,” it should consider the present costs of remediation vs. potential future costs: OCR complaints and penalties, lawsuits, actions by states’ Attorneys General, and bad PR. Expensive as the immediate price tag seems, a poorly executed response can be much worse.