Breaches of patient information can expose your medical practice to significant risks. When you suspect a breach, you need to act IMMEDIATELY.
Despite the risk of experiencing a HIPAA breach exceeding 89%, fewer than half of healthcare organizations have formal incident response plans and procedures. When an actual or suspected breach occurs, it is vital for covered entities and business associates to have a simple, streamlined, and expeditious plan to respond. These breaches can be anything from a lost thumb drive or laptop to a sophisticated cyber-attack, but a good breach response plan will be flexible enough to work in a variety of circumstances. There are standard responses that the Department of Health and Human Services’ (HHS) Office of Civil Rights (the government entity that polices HIPAA compliance) (OCR) expects to see when health data has been compromised. These include protocols for investigation, mitigation, and notification of affected individuals. According to a recently published alert from OCR, these standard responses should be in writing, and should provide a “roadmap for implementing [the practice’s] incident response capabilities.” So, if haven't already, you need to write down your plan for responding to privacy and security incidents that you suspect may have resulted in a breach. If you have reason to believe some of your patients’ protected health information (PHI) has been compromised, you should immediately follow the below steps:
BREACH RESPONSE PLAN FRAMEWORK
CALL LEGAL COUNSEL.
Any data breach could potentially lead to litigation and federal administrative action. An experienced healthcare attorney will be able to walk you through the appropriate steps and help you to minimize your legal and financial exposure.
INVESTIGATE the incident.
Before you can develop a plan for responding to an incident, you must know the breadth and depth of the incident itself. You must perform an investigation to define and scope the incident. Depending on the nature of the incident, you may be able to do this by interviewing staff and checking computer/EMR records. You may, however, need to hire a security firm that can perform digital forensics on the relevant devices and/or networks. Important questions to answer include: What was the nature of the incident? Who was involved? When was it discovered? How many records are affected?
STOP the incident.
If the incident involved a piece of hardware or software (as opposed to a paper/verbal records breach), take steps to disable access to your PHI. For instance, if you have the ability to remotely wipe a stolen mobile device, do so. If your cloud-based EMR may have been compromised, disable all access to the software and/or change passwords.
DOCUMENT the incident.
Make a written record of all of the information gathered during your investigation, and the steps taken to mitigate further damage. You will need to document the scope of the incident, the parties involved, the series of events leading up to the incident and the steps taken by staff to prevent further damage. It is most helpful to make a timeline, starting with when the incident started and when it was discovered.
ANALYZE the incident to determine your obligations under HIPAA and your state's breach notification laws
A privacy or security incident may or may constitute a HIPAA breach, and HIPAA may or may not require reporting. Even if the incident is not considered a breach under HIPAA, yor state may apply different definitions and tests. You will work with your healthcare attorney to determine whether the information gathered during the investigation stage indicates that the incident is a breach, and if you are required to notify those affected, any government officials, or the media.
NOTIFY the proper individuals.
If it is determined that a HIPAA Breach has occurred, you must notify HHS and the individuals whose PHI has been compromised. Depending on the number of individuals whose PHI has been compromised, you may also need to notify the media. You may also be required to notify your state’s Attorney General, and provide substitute notice via media. Last, depending on the circumstances revealed through investigation, it may be prudent to contact the IRS, law enforcement, the FTC, etc. Your healthcare attorney will be able to guide you in decision-making.
LEARN from the incident.
What could you have done to prevent the incident or to minimize the damages that occur when an incident like this occurs? Gather key staff to discuss these topics, then update your incident response plan accordingly. If you do not have an incident response plan in place, you may consider hiring an IT firm to perform a full risk analysis to help you determine the gaps in your HIPAA compliance policy. At the very least, implement some safeguards targeted at reducing the likelihood of a similar incident in he future.
A quick note about pre-breach activities: This post is focused on what to do after an actual or suspected breach, but there are steps all practices should take to help prepare for such an occurrence RIGHT NOW. The first is to devote time to creating the “roadmap” described above. This requires collaboration with internal resources and training staff regarding appropriate breach response. The second is to develop relationships with the various individuals and entities that you will need to adequately respond. This should include cyber-liability insurance brokers, law enforcement, an experienced healthcare attorney, federal and state agencies, IT security professionals, credit monitoring professionals, legal professionals, etc. Incident response is much more swift if you already know who you’re going to call when it occurs!
If you have experienced a breach, or are concerned about whether your organization is vulnerable to a breach, contact Nixon Law Group’s HIPAA counsel, Rebecca E. Gwilt, at email@example.com for an initial consultation.