Are you prepared if the next big HIPAA breach happens to you?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/are-you-prepared-if-the-next-big-hipaa-breach-happens-to-you.html

Although the Health Insurance Portability and Accountability Act of 1996
("HIPAA") is certainly not a new topic of interest for hospitals and health
systems, the 2013 changes to HIPAA's privacy and security regulations in
combination with the government's reinvigorated approach to compliance and
enforcement reinforces the need for health care providers to remain focused
on preparing for the inevitable likelihood that privacy or security issues
will occur.

Unfortunately, and especially for larger provider organizations, with the
vast number of people whose responsibilities involve the viewing or
creation of patient data indicates, in addition to growing use of
technology in the health care sector, it is likely that news reports of
significant breaches will only continue to grow. Equally as important,
however, is the potential exposure that can come from the less "newsworthy"
aspects of HIPAA compliance - - especially if the Unites States Department
of Health and Human Services' Office for Civil Rights ("OCR," the federal
agency responsible for HIPAA enforcement) becomes focused on a provider as
a result of a breach having occurred.

With that said, there are two important aspects to a hospital's HIPAA
compliance program: (1) traditional compliance efforts designed to train
staff and ultimately prevent problems from occurring; and (2) advance
preparation for responding to a problem once it occurs. Although these two
areas involve some overlap, many health care organizations have neglected
to focus considerable energy on "breach readiness." When a breach occurs,
there are a number of processes that need to be set into motion
simultaneously, and the extent to which economical and reputational damage
can be minimized is often directly related to how prepared the provider is
to quickly and appropriately respond.

Be Prepared to Respond Quickly

First, it is critical to minimize the amount of time that is spent figuring
out what happened. Whether the underlying incident was caused by the
hospital's business associate vendor or by a member of the hospital's
workforce, it is critical that the potential breach is reported to the
hospital's privacy officer as close to immediately as possible. Although it
is challenging to avoid some reporting time lag when the incident is caused
by a vendor (something that can be addressed when negotiating vendor
agreements), providers should take the time to ensure that all workforce
members are appropriately sensitive to when a "situation" may rise to the
level of a HIPAA breach. Although a breach brings with it some unavoidable
exposure, a provider's ability to respond quickly and appropriately goes a
long way to prevent the magnification of that exposure.

Get the Right (Internal and External) Team in Place

Internally, providers should maintain a standing committee comprised of the
people who will need to be involved in understanding the breadth of what
occurred and making the key decisions about how to properly respond.
Typically, these people include the privacy officer, security officer, the
compliance officer, the chief information officer, a member of the legal
team, and a member of the public relations team. Lastly, to the extent that
a provider's internal legal team does not have HIPAA expertise, it is
prudent to have a relationship with outside counsel who has navigated
breach response and OCR investigations.

In the midst of dealing with legal risks related to a potential breach, the
simultaneous task of addressing all of the logistics associated with a
proper response can be quite daunting. First and foremost in this regard is
ensuring that the required "breach notifications" to affected patients are
going to be prepared and mailed by the provider's workforce or by an
outside vendor. The larger the breach (especially if the affected
individuals reside in multiple states), it is often prudent to
prospectively contract with a company who can efficiently take the lead in
managing this process. Any time that a breach involves the disclosure of
social security numbers, the offering of free credit monitoring services
has become part of the typical response. Rather than waiting until a breach
occurs to arrange for this offering, providers should prospectively reach
out to vendors.

Related to sending out the written communication with patients is the need
for providers to maintain a call-center that will field the patients'
inevitable questions and concerns after they receive the written
notification. As with the notifications, providers can be well served to
engage a vendor with staff focused on best handling these conversations.
Although certain patient concerns are best addressed by hospital's
privacy/compliance officer directly, the majority of questions are often
best handled by people whose job is to have these sorts of conversations.

Lastly, if media notice must be provided (either because of state law
requirements, or because the breach is large enough that HIPAA requires
it), it is helpful to engage a vendor who already knows who to contact at
each of the targeted media outlets. This is particularly true if the breach
involves multiple states and numerous media outlets must be notified.
Furthermore, developing a relationship with an outside public relations
firm enables providers to fine tune their messaging in such a way that the
patient population does not suffer unintended and unnecessary concern.

There is Insurance for Everything

As much as hospitals would prefer to never suffer a breach, the likelihood
of human error, as well as the ever growing threat of hackers, suggests
that breaches will occur. In consideration of that reality, hospitals
should protect themselves from the financial hit that often comes with
breaches (and their subsequent investigations). In addition to ensuring
that hospitals have the appropriate insurance to address the losses
associated with a HIPAA breach, it is equally important that someone on the
breach response team timely communicates with the appropriate insurance
company representative. Beyond that, it is prudent for hospitals to seek
counsel as to what should be communicated to insurance companies and when.

Pick the Low-Hanging Fruit

If a breach occurs, especially one involving more than 500 patients,
hospitals should brace for the inevitable OCR investigation. Although the
investigation will partially focus on the incident that caused the breach,
OCR will also (almost certainly) want to take a look at the hospital's
overall HIPAA compliance program. Knowing that the government will ask for
certain things, hospitals should take the time - - especially when the
compliance team is not embroiled in dealing with a breach – to make sure
that certain core compliance documents are in place. In particular order of
importance, OCR will ask for: (1) privacy and security policies and
procedures (including those associated with responding to a breach); (2)
training; (3) logs evidencing that training has been completed; and (4)
HIPAA Security Rule risk assessment (as well as associated yearly updates).
Lastly, given the scrutiny that these documents will be under during an
investigation, hospitals should consider reviewing them prior to a breach
occurring to help plug any holes.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!