View Our Article in PDF×
Increasing State and Federal Rules and Oversight
Developing Breach Response Plans
The problem of breaches of protected health information (PHI) continues to mount. OCR data indicates more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. Data further indicates that 320% more healthcare providers were hit by hackers in 2016 than in the prior year. Recent studies reported that healthcare now ranks as the second highest sector experiencing data security incidents. The “2017 Internet Security Threat Report” found that in healthcare, email-borne ransomware increased by 266% during 2016. The Ponemon Institute further found that breaches are likely to cost the healthcare industry an estimated $6.2 billion annually. Breaches involving theft or lost mobile devices continue to be a major problem, such as the recent case of Lifespan, where it notified 20,000 patients of a privacy breach resulting from a MacBook work laptop being stolen from a locked car.
Increased Federal and State Rules
Earlier this year, OCR announced the first ever enforcement settlement for lack of a timely breach notification, and has issued similar enforcements in the subsequent weeks. This enforcement should not come as a surprise, as it aligns with the emphasis OCR placed on compliance with the Breach Notification Rules when it launched the Phase 2 audit program last year. In addition to OCR oversight authorities regarding HIPAA Privacy, more states are passing data breach notification laws. The combination of different rules at federal and state levels; combined with varying compliance requirements, notification rules, and non-compliance penalties from one state to another, is making protection of PHI and other data increasingly complicated. If that is not enough, it is also important to consider that for the same data breach, multiple jurisdictions could impose penalties on top of one another.
Developing a Data Breach Response Plan is Critical
Camella Boateng is a consultant and an expert in addressing HIPAA compliance. Ms. Boateng points out that all healthcare organizations should have a response plan ready if and when it is needed. This will permit prompt action to mitigate the harm and damage of a breach to systems, reputation, costs, and potential liabilities. On the other hand, failing to prepare a plan will likely result in delays, mistakes, and aggravation of the problem. When developing the plan, those responsible should include the following items: (a) establish roles and responsibilities for those who would respond to an incident; (b) outline the methods to detect, report, and internally evaluate incidents; (c) lay out steps to follow in containing and eliminating breaches; (d) determine the manner by which the Response Plan will be initiated and to restore operations; and (e) consider the factors involved in developing, executing, and monitoring a post-event remedial action plan. She advises that responsible program managers should be addressing this as part of their ongoing monitoring responsibilities. Compliance officers should verify that these activities are performed, and validate them as effective in meeting objectives. This can be done through performing ongoing auditing efforts, either with internal resources or by engaging outside experts.
Ensure Data Breach Response Plan is in Place.Connect with a HIPAA Compliance Consultant Today
Response Plan Suggestions
- Review the breach plan to ensure it covers all necessary action steps if a breach occurs;
- Designate the responsible authority to lead the response team when a breach occurs;
- Quickly gather as much information about the breach as possible and notify upper management;
- Define steps to remove all breaches to systems and prevent the incident from spreading;
- Define how to eliminate any intrusion of the system’s integrity or the network;
- Have a notification plan for the following: internal parties, patients, appropriate government agencies, and possibly the media;
- Establish steps to determine how the breach occurred, what data was compromised, and who might be responsible for it;
- As needed, consult with trained forensic experts to determine how and why the breach occurred;
- Lay out action steps to determine the state of all laptops, and mobile and electronic devices; and
- Ensure how documentation of all actions taken will be maintained to evidence that all the proper actions were taken promptly, especially if governmental authorities may become involved.
Connect with a HIPAA Compliance Consultant
Strategic Management’s HIPAA compliance consultants have decades of experience assessing and improving compliance processes. If you would like to discuss how to improve your organization’s data breach response plan, contact our experts online or call (703) 683-9600.