A data breach in healthcare is like no other. When a health system fails to safeguard patient data, the breach goes beyond the personal financial information typically compromised when a retail chain fails to protect its customers' credit card numbers. Hospitals and other providers, after all, must keep safe very personal and sensitive information — information about our health. Providers uniquely depend on the trust of their patients — trust that, once broken, can be hard to mend.
Imagine that a health system with multiple locations learns two unencrypted laptops — containing protected health information for about 50,000 patients — have been stolen from its central billing office. The system must act quickly yet thoroughly to navigate the communications and legal challenges of the breach.
Planning to be successful
Before anything else, the health system must get organized. Ideally, the health system has a data breach incident response process that will facilitate prompt discovery of the incident and coordinate how the health system investigates the incident, mitigates harm and complies with all regulatory obligations. The health system also will benefit if it has a crisis communications plan already in place. This plan is the starting point for communications leaders when any type of crisis hits, such as a mass-casualty accident on a nearby interstate highway, an on-campus incident or a reputational crisis such as a breach of PHI. Having a plan in place ensures that the logistics of crisis communications — where to conduct news conferences, how to ensure continuity of communications in a disaster, who handles what in a crisis — are thought out in advance.
At the core of a data breach response is an incident response team. With representatives from communications, operations, compliance and legal, the incident response team should meet regularly throughout the life of the incident. Initially, this may require daily (or more frequent) meetings to stay tightly coordinated and to enable a timely response. Later, the meetings may become semi-weekly or weekly as needed.
Actions following discovery of the incident
Once the incident is discovered, the team will need to focus immediately on stopping further non-permissible uses or disclosures (if possible) and gathering the facts, possibly in conjunction with a forensics data analysis firm. This will uncover answers to key questions: What kind of data was involved? Was the data encrypted? Did it include Social Security numbers? Have the laptops been recovered? Can they be wiped remotely? Where do affected individuals reside? The facts will determine federal and state reporting requirements.
Understanding all of the applicable state law requirements can be a challenge, given that over 40 states have breach notification laws that vary in their requirements and are subject to frequent change. At the federal level, the HIPAA breach notification rules now presume a non-permitted use or disclosure of unsecure PHI is a breach. The burden will be on the health system to establish that the incident involved a low risk of compromise to the PHI by performing a risk assessment. In the case of stolen laptops, if the laptops are unencrypted, overcoming the breach presumption will be difficult (unless the laptops are recovered and a forensic analysis supports that data on the laptops was not accessed).
After completing this fact-gathering and analysis, legal should give an overview report to the incident response team. The facts and the reporting requirements provide the framework for how the health system will need to respond to the situation, from both legal and communications perspectives.
In some scenarios, the health system might not be legally required to report the incident, if the facts demonstrate the incident is not a breach under HIPAA and does not implicate any state laws. But the team should also consider the damage the system's reputation could sustain from the situation. If news of the incident leaks — and it quite possibly will — the health system should consider how a patient would feel upon learning about the incident in the morning paper and whether government regulators (as well as the public) will agree with the health system's determination that no breach occurred. The health system must carefully weigh its risk tolerance and comfort level with its analysis. For example, if the health system's forensic analysis demonstrates that the data on the laptops was not accessed, the health system will need a clearly drafted report from the analysts and may need an outside expert's confirmation, if the analysis was performed by an in-house information technology department.
Truth and timeliness
Once the health system determines the incident requires notifications under HIPAA, state laws or both, the health system must move quickly to provide all required notifications. Given the size of this incident in the example, the health system will be required by HIPAA to notify the media and the Office for Civil Rights at the same time that it notifies affected individuals. It is unlikely that it will have up-to-date contact information for all affected individuals, so it should plan to provide substitute notice consistent with HIPAA and all state requirements.
In tandem with the rest of the data incident team and consistent with applicable reporting requirements, communications will develop an overarching communications plan that identifies communication vehicles, audiences and timeline, and a set of core messages. Communicating a breach requires action that is both quick and accurate. While patients need to hear about the breach from the health system itself, truth should not be sacrificed for timeliness. Reviewing communications with the rest of the crisis team will ensure their accuracy. All communications should be thoroughly vetted by legal and operations.
Transparency is key in all communications about the breach. Of course, not all details about the breach can or should be shared. Further, there is a fine line between acknowledging the mistake and dwelling on the past. The system must communicate to its affected patients (and other audiences) what steps it is taking to remedy the situation and, more importantly, how it will prevent such a breach in the future.
Open a dialogue
Given the deeply personal nature of health information, it is critical that the health system ensure a two-way dialogue. Affected patients likely will have many questions and need an avenue to connect with the health system. HIPAA and state law obligations will require providing affected patients with contact procedures to use to ask questions and learn additional information, such as a toll-free telephone number. Some health systems have set up a dedicated page on their websites for this purpose, with all the important information patients need and a contact form or dedicated email address for submitting questions.
The communications team should anticipate these concerns and have a set of frequently asked questions with corresponding answers. Whether in-house or at a vendor call center, the health system must leave enough time before issuing communications to make sure the representatives fielding patient questions are knowledgeable enough to speak confidently about the situation. Quickly training call center staff on a script is important to avoid delays in providing required notifications. Identifying a call center vendor should be part of advance planning for any crisis communications situation.
The health system's employees will also need to be equipped to respond to patient questions. The crisis team should plan an internal roll-out to ensure a consistent message is shared with employees, as well as guide them on how to answer patient questions. Individual hospitals and ambulatory sites will need their own communications toolkit, including talking points and FAQs.
If the communications plan calls for a news conference, the team should choose and train one or more media representatives (media training of key executives is another best practice as part of crisis communications planning.) Legal will offer clear guidelines about what to say, while communications provides training on how to deliver the messaging and interview tips to stay on message under questioning.
Look for recovery opportunities
After the communications plan has been executed, the work is not over. The health system must quickly confirm that it has implemented necessary corrective actions to avoid future incidents and be prepared for regulatory scrutiny. The system could be investigated by not only OCR, but also state attorneys general (for all states in which affected patients reside), state licensure agencies and the Federal Trade Commission. It also may receive scrutiny from third-party payers. Class actions brought on behalf of affected patients are becoming increasingly common. The incident team will need to hold periodic check-in meetings to evaluate responses received in response to the notices it has provided, the status of its mitigation and corrective actions and to confirm it is prepared for investigations or possible litigation.
At times when dealing with a crisis and the necessary focus on providing required notifications quickly, documentation of what happened and what was done can become disorganized. It is possible that the health system will receive requests for supporting documents from OCR or other regulators months after the incident, when memories have started to fade and key personnel may no longer be with the organization. Thus, once the initial crisis has passed, it is a good practice to gather internal reports and notes, confirm that key steps and conclusions have been clearly documented, and ensure the documentation can be easily located when needed in the future.
If positive developments warrant, the team may consider updating important audiences on progress that has been made, such as the apprehension of criminals accused of stealing the laptops. Continuing to communicate to key audiences beyond the initial announcement will help the health system make this a short-lived crisis and mitigate damage.
Rebecca Ayer is a senior executive advisor with Jarrard Phillips Cate & Hancock Inc., a healthcare strategic communications firm. Elizabeth Warren is a member in the Healthcare Industry Practice Group at Bass, Berry & Sims PLC.