Data breaches involving patient data are hitting healthcare providers large and small. In the wake of these exposures, patients and regulators alike want assurances that companies are properly safeguarding protected health information and other individually identifiable electronic data.
To that end, businesses operating in the health sector need to be well versed in the requirements placed upon them under HIPAA, HITECH and the Federal Trade Commission's Health Breach Notification Rule. They should also ensure they are familiar with best practices around risk mitigation, from drafting effective breach response plans to updating their Notice of Privacy practices to reflect the evolving requirements.
While regulators have drafted new mandates to move toward more robust breach notification requirements, consumers are also taking note of their healthcare data privacy options. To be sure, it would take a lot for most people to change their healthcare provider. However, there is no denying that a data breach hurts a healthcare provider's reputation, and fines and penalties cut into already thin margins. Furthermore, a breach from a supplier to a covered entity can cause the healthcare company to avoid using the supplier altogether.
A cascade of requirements
Healthcare providers, other covered entities and their business associates operate under a number of data privacy and breach notification regulations, including those instituted by HIPAA, the HITECH Act and the Federal Trade Commission. These compliance mandates deal with the exposure of protected health information and, in some cases, the risk mitigation strategies CEs and BAs must employ.
The HIPAA Omnibus Final Rule, effective since early 2013, revised how CEs and BAs respond to potential data breaches. They are now required to notify affected individuals — as well as HHS and, in some cases, the media — that a breach occurred. If a BA experiences a breach, it must also notify the CEs. Also detailed in the Final Rule are requirements for notification timing in relation to the discovery of the breach, what information must be included in the notification, the methods for notifying affected individuals and what additional victim resources must be provided.
Companies that provide services to healthcare providers that may not be covered under HIPAA but who still work with personal health records, patient Web portals or other healthcare activities involving sensitive data, are likely required to comply with the FTC's Health Breach Notification Rule. Effective since early 2010, this regulation mandates specific notification protocols that, similar to HIPAA requirements, may involve notifying not only affected individuals but also the FTC and potentially the media.
In addition, 47 states and several U.S. territories have passed their own breach notification laws. Many of these require notification to other parties — state attorneys general, credit bureaus, regulators, etc. — and some have varying regulations around notification methods and time frames. Any healthcare organization subject to breach notification mandates through either HIPAA or the FTC should also determine their responsibilities under these other jurisdictions.
Competitive advantage
Having the resources to implement an effective data protection strategy and the expertise to respond appropriately to breach events are crucial in a sector as competitive as healthcare. Hospitals and other provider organizations devote significant dollars to attracting new and retaining existing patients. But, years of work building a trusted brand can be quickly countered if a breach occurs and the response is bungled. Carefully cultivated patient trust is suddenly lost. Community perceptions and the backing of important local partners may drop. Revenue-conscious organizations have discovered that effective security and breach response strategies are far better than suffering the reputational harm that follows a poorly managed breach.
Reducing the risks
Though data breach events in the healthcare sector continue to be announced with startling frequency, there are a number of ways companies can protect themselves from exposure. It's also possible to devise a breach response strategy that minimizes the public backlash if patient data is exposed.
Breach response policies
A breach response policy outlines expectations for employees, contractors and suppliers with regard to security and privacy protocols, and it provides for disciplinary action if those expectations aren't met. The policy tells every person with access to sensitive data precisely how to identify potential compromises and what they should do if they suspect protected information has been compromised. It may list the steps individuals should take if a piece of computer equipment is lost or stolen, if a mis-mailing or other event has occurred or if they see others in the company violating the organization's data protection protocols.
Breach response teams
Knowing who will be responsible for specific actions if a potential breach is identified enables your organization to move quickly. This aides in minimizing the impact or even halting the event before an actual breach occurs.
Identifying a breach response team brings participants together and provides a single playbook for everyone to use in the event of a breach. A breach response team should include not just IT staff but also information security and risk management personnel, legal counsel, HR and media relations professionals.
Depending on the resources available inside the company, it's often prudent to establish relationships with external experts who can offer additional guidance and support. These may range from public relations teams who can help manage communications and assist your team in crafting the best message to minimize reputational harm, to forensic experts with the knowledge and tools to evaluate the event and determine what information, if any, was exposed and the source of the event. Technology advisors may also be needed to determine which steps your organization should take to restore systems and prevent future occurrences.
Breach response procedures
Breach response procedures are the specific steps your organization will need to take if a data exposure is reported. Common actions include coordinating with legal counsel to perform all response activities in accordance with legal and regulatory requirements, engaging internal and external technical resources to determine the nature and extent of the exposure as well as to stop intrusions, and keep employees, executives and potentially the media informed. Additional steps may be prudent as well, depending on the situation. The person appointed to lead the breach response should be familiar with the organization, with available resources and with protocols for responding to security events so she or he is able to navigate the team dynamically as events occur.
Because the organization's needs and security posture will change over time, and because the threat landscape is also likely to change, it's important these procedures are regularly reviewed. Your company should evaluate the procedures at least once a year to address staffing changes, technology changes, new potential exposure points (patient portals, etc.), new vendor relationships, changes in where or how data is stored and anything else that may affect where risks exist and how the organization can best respond to breach events.
Annual risk assessments
Those organizations that are subject to any of the federal healthcare data protection mandates should be reviewing their security posture on a regular basis. Though the regulations don't stipulate formal time frames, one common rule of thumb is to conduct a HIPAA risk assessment annually. There are tools provided by HHS and others that are designed to facilitate this task, which can be time-consuming.
If your company doesn't have a security expert in-house, external resources are available to help ensure the annual assessment is carried out correctly. Experienced guidance can provide the necessary assistance to identify and correct potential security weaknesses, to weight identified vulnerabilities and prioritize the remediations, to review existing data protection methodologies and to work with your team to develop and implement practical risk remediation strategies.
Privacy disclosure documentation
Because strong communication with patients is a critical component in any data protection program, many providers are working to update their Notice of Privacy Practices documentation to better reflect the many ways that patient data may be collected, stored and distributed. Patient information is no longer simply gathered during admission or check-in. It may now be transmitted through patient portals, between facilities via EHR platforms and other tools that often weren’t previously addressed.
The Final Rule also expanded which instances of PHI disclosure must be included in the NOPP. Marketing or fundraising activities that involve contacting patients or the use or disclosure of their PHI, for example, should now be clearly stated. Healthcare providers (though not necessarily all CEs) may also need to update their NOPPs to address circumstances where patients pay in full out-of-pocket for healthcare services — rather than through an insurer — and thus have rights to restrict some disclosures of their PHI to a health plan. Updated NOPPs also need to include language that tells patients about their rights to opt out of certain communications and their breach notification rights if their PHI is exposed.
Business Associate agreements
To ensure your organization's vendors are carrying out their expected security responsibilities, it may be wise to revise and update existing BA agreements to better encompass the expanded data protection and breach notification requirements. In previous HIPAA mandates, BAs didn't have direct liability for breach notification or failure to implement proper data protections. That has changed under the latest governance with BA organizations now required to be in full compliance with all safeguard requirements and shouldering liability for their violations.
Data safeguards and breach notification requirements for each subcontractor for a BA — organizations that are now considered BAs under the revised guidelines, which is a significant change from previous mandates — should also be spelled out. BAs are now specifically required to follow the HIPAA security and privacy rules and to provide employee training on these requirements. Considering the scope and impact of these regulatory changes, CEs can better protect themselves and their patients' data by reexamining the language in their existing BA contracts.
Deena Coffman is chief executive officer of IDT911 Consulting.