Although the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is certainly not a new topic of interest for hospitals and health systems, the 2013 changes to HIPAA's privacy and security regulations in combination with the government's reinvigorated approach to compliance and enforcement reinforces the need for health care providers to remain focused on preparing for the inevitable likelihood that privacy or security issues will occur.
Unfortunately, and especially for larger provider organizations, with the vast number of people whose responsibilities involve the viewing or creation of patient data indicates, in addition to growing use of technology in the health care sector, it is likely that news reports of significant breaches will only continue to grow. Equally as important, however, is the potential exposure that can come from the less "newsworthy" aspects of HIPAA compliance - - especially if the Unites States Department of Health and Human Services' Office for Civil Rights ("OCR," the federal agency responsible for HIPAA enforcement) becomes focused on a provider as a result of a breach having occurred.
With that said, there are two important aspects to a hospital's HIPAA compliance program: (1) traditional compliance efforts designed to train staff and ultimately prevent problems from occurring; and (2) advance preparation for responding to a problem once it occurs. Although these two areas involve some overlap, many health care organizations have neglected to focus considerable energy on "breach readiness." When a breach occurs, there are a number of processes that need to be set into motion simultaneously, and the extent to which economical and reputational damage can be minimized is often directly related to how prepared the provider is to quickly and appropriately respond.
Be Prepared to Respond Quickly
First, it is critical to minimize the amount of time that is spent figuring out what happened. Whether the underlying incident was caused by the hospital's business associate vendor or by a member of the hospital's workforce, it is critical that the potential breach is reported to the hospital's privacy officer as close to immediately as possible. Although it is challenging to avoid some reporting time lag when the incident is caused by a vendor (something that can be addressed when negotiating vendor agreements), providers should take the time to ensure that all workforce members are appropriately sensitive to when a "situation" may rise to the level of a HIPAA breach. Although a breach brings with it some unavoidable exposure, a provider's ability to respond quickly and appropriately goes a long way to prevent the magnification of that exposure.
Get the Right (Internal and External) Team in Place
Internally, providers should maintain a standing committee comprised of the people who will need to be involved in understanding the breadth of what occurred and making the key decisions about how to properly respond. Typically, these people include the privacy officer, security officer, the compliance officer, the chief information officer, a member of the legal team, and a member of the public relations team. Lastly, to the extent that a provider's internal legal team does not have HIPAA expertise, it is prudent to have a relationship with outside counsel who has navigated breach response and OCR investigations.
In the midst of dealing with legal risks related to a potential breach, the simultaneous task of addressing all of the logistics associated with a proper response can be quite daunting. First and foremost in this regard is ensuring that the required "breach notifications" to affected patients are going to be prepared and mailed by the provider's workforce or by an outside vendor. The larger the breach (especially if the affected individuals reside in multiple states), it is often prudent to prospectively contract with a company who can efficiently take the lead in managing this process. Any time that a breach involves the disclosure of social security numbers, the offering of free credit monitoring services has become part of the typical response. Rather than waiting until a breach occurs to arrange for this offering, providers should prospectively reach out to vendors.
Related to sending out the written communication with patients is the need for providers to maintain a call-center that will field the patients' inevitable questions and concerns after they receive the written notification. As with the notifications, providers can be well served to engage a vendor with staff focused on best handling these conversations. Although certain patient concerns are best addressed by hospital's privacy/compliance officer directly, the majority of questions are often best handled by people whose job is to have these sorts of conversations.
Lastly, if media notice must be provided (either because of state law requirements, or because the breach is large enough that HIPAA requires it), it is helpful to engage a vendor who already knows who to contact at each of the targeted media outlets. This is particularly true if the breach involves multiple states and numerous media outlets must be notified. Furthermore, developing a relationship with an outside public relations firm enables providers to fine tune their messaging in such a way that the patient population does not suffer unintended and unnecessary concern.
There is Insurance for Everything
As much as hospitals would prefer to never suffer a breach, the likelihood of human error, as well as the ever growing threat of hackers, suggests that breaches will occur. In consideration of that reality, hospitals should protect themselves from the financial hit that often comes with breaches (and their subsequent investigations). In addition to ensuring that hospitals have the appropriate insurance to address the losses associated with a HIPAA breach, it is equally important that someone on the breach response team timely communicates with the appropriate insurance company representative. Beyond that, it is prudent for hospitals to seek counsel as to what should be communicated to insurance companies and when.
Pick the Low-Hanging Fruit
If a breach occurs, especially one involving more than 500 patients, hospitals should brace for the inevitable OCR investigation. Although the investigation will partially focus on the incident that caused the breach, OCR will also (almost certainly) want to take a look at the hospital's overall HIPAA compliance program. Knowing that the government will ask for certain things, hospitals should take the time - - especially when the compliance team is not embroiled in dealing with a breach – to make sure that certain core compliance documents are in place. In particular order of importance, OCR will ask for: (1) privacy and security policies and procedures (including those associated with responding to a breach); (2) training; (3) logs evidencing that training has been completed; and (4) HIPAA Security Rule risk assessment (as well as associated yearly updates). Lastly, given the scrutiny that these documents will be under during an investigation, hospitals should consider reviewing them prior to a breach occurring to help plug any holes.
Brad Rostolsky is a member of the Reed Smith Life Sciences Health Industry Group. With a focus on health care regulatory and transactional law, he leads the group's HIPAA and Health Privacy & Security Practice. Rostolsky has extensive experience advising clients on all aspects of health information privacy and security compliance in all areas of the health care industry, including hospitals, medical practices, pharmacies, long-term care facilities, electronic health records providers, pharmaceutical manufacturers and medical device companies.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.