- OCR seeks HIPAA audit feedback
- Former UConn employee breached health records
- OCR's message in HIPAA settlement: Encrypt your data
- OCR looking for 'high level of sensitivity' in data breaches
- OCR will train state AGs to enforce HIPAA
- Mass General pays $1M to settle potential privacy violations
- 4 steps for business associates to comply with omnibus HIPAA
- Omnibus HIPAA: BAs, breaches will get worse before better
- ISU to pay HHS $400K for violating HIPAA
Regulators looking over your shoulder. Million-dollar fines lurking around the corner. Every flash drive a data breach booby trap. The world of healthcare data privacy may seem scarier than the latest horror flick.
It doesn’t have to be that way.
The 4 data breach response best practices discussed in the previous article can ease the fear factor and allow organizations to achieve what regulators call a “culture of compliance.”
But how do executives and privacy officers know that their compliance activities are effective? We’re not talking compliance with the HIPAA Privacy Rule. Rather, we mean privacy compliance, which offers a broader perspective on the outcome of a data breach response.
No certifying body or standard exists for determining privacy compliance. In the absence of legislation, we’re proposing that organizations set their own standards for measuring the success of a data breach response. The big question is: Has an organization done everything that is reasonable from a patient’s perspective to ensure a positive outcome from a data breach?
When looking at privacy compliance, an organization faces some tough challenges. For instance, a healthcare provider must:
- Know what its risks are and prioritize those risks
- Meet compliance requirements
- Stay compliant on an ongoing basis
- Ensure business associates meet compliance requirements
- Know where PHI is located and used
- Know when a breach occurs
- Measure compliance—and make those compliance metrics understandable
Tools and services such as risk assessments, PHI inventories, and an Incident Response Plan (IRP) can help an organization meet most of these challenges. But the idea of measuring the tangible and intangible aspects of a data breach response is definitely new, and requires something more.
A “balanced” approach to measuring compliance
Businesses and government agencies have long used balanced scorecards as a strategic planning tool. Healthcare organizations use this method to align their mission vision and values and patient care. With all the metrics and factors to consider, a balanced scorecard is also an ideal tool for objectively measuring the effectiveness of a provider’s compliance activities.
[See also Part 1: 3 Tips for surviving an OCR breach investigation and Part 2: 9 steps to take during an OCR data breach investigation.]
When assessing the impact of a data breach response, most executives only consider the bottom line: what were the notification costs, fines, and so on. But what about other outcomes: harm to patients, patient churn, media response, the number of victims and other factors? Measuring all factors gives organizations a more accurate picture of the effectiveness of their compliance activities during a data breach, and allows them to make adjustments accordingly. There are other benefits to using a balanced scorecard, as well:
- Executives can relate to balanced scorecards, seeing the compliance numbers in a way they understand helps to justify costs.
- It helps an organization identify its best practices and where it’s at risk for a data breach.
- It aids in a post-breach investigation from the Department of Health and Human Services’ Office of Civil Rights (OCR). Using metrics—and a balanced scorecard to provide the ultimate measurements—helps to demonstrate compliance over time and generates goodwill among patients. There’s nothing the OCR likes more than an organization that is self regulating. It sets a compliance baseline and continually measures its performance against that baseline.
A balanced scorecard can provide valuable measurements for nearly any aspect of compliance, including:
- Victim perception: Percentage of “delighted victims,” (as we refer to patients who have had complete identity recovery), percentage of escalations, call-center numbers, percentage of successful identity recovery, and patient retention. This last item reflects how patients perceive a healthcare organization’s response to a data breach. For instance, a recent article noted that patients were delaying treatment because of the shocking number of data breaches by the National Health Service in England.
- Regulatory compliance: Avoiding a corrective action plan (CAP) with voluntary compliance, minimizing fines and penalties, avoiding litigation, etc.
- Impact on reputation: Percentage of positive/negative press mentions, executive surveys, lawsuit and the results of online research (e.g., the number of complaints, civil suits, and breaches an organization has experienced)
- Financial impact: Cost per patient record, including notification costs, legal fees, and fines; stock prices; and the actual cost vs. planned cost
- Other: Workforce awareness and training, third-party assurances, including certifications, security and privacy seals, risk assessments, etc.
Achieving and measuring an organization’s privacy compliance doesn’t have to be scary. Our experience has shown that healthcare providers who sincerely try to do the right thing by their patients and are proactive in their approach to compliance have little to fear. A balanced scorecard simply provides a baseline for improving an organization’s privacy and security measures, helping executives better prepare for future incidents — and achieve positive outcomes for everyone.