Executive Summary
What you do immediately after a HIPAA violation can affect the severity and eventual penalties. Prepare a response plan before a breach occurs.
- Priorities should be notifying others in the hospital and establishing an investigative team.
- You have to stop the flow of protected health information immediately.
- Coordinate with external contacts such as insurers.
You’re sitting at your desk, and someone walks in to inform you that there has been a HIPAA violation. What do you do next?
The answer to that question could have significant impact on the scope of the violation and the resulting penalties and other costs. An alleged or actual HIPAA breach can result in catastrophic consequences, including not only costly investigative, analysis, reporting, and mitigating actions, but potentially costly fines and penalties, loss of patients, loss of personnel involved in the breach, and reputational harm, notes Lani Dornfeld, JD, a member in the health law practice at the law firm of Brach Eichler in Roseland, NJ.
Preparing for this moment is key to handling it well, notes Fred Charlot, director of Berkeley Research Group in Houston, TX, which provides consulting for healthcare and other organizations. That preparation means creating an incident response plan that spells out in detail what you will do after learning of a breach, including the names and contact information for everyone who will be notified or participate in the investigation.
“Failure to have a response plan in place is really bad,” Charlot explains. “Then you’re making decisions and trying to remember things as you’re troubled and trying to deal with the incident as it’s occurring. You have a really good chance of missing something in that situation.”
The incident response plan should include managerial items such as a reporting chain, whom to call, what order to call, and what actions to take. The plan should call for contacting not just IT, but also legal counsel, financial managers, public relations, and senior management.
Of course, the hospital must notify HHS and follow the rest of the breach notification rules, though that will not be the first action item. For information on how to report the breach to HHS, go to http://tinyurl.com/yap3lpb.
Shut off flow of PHI
Dornfeld agrees that planning ahead is crucial, and she adds that a response plan will allow you to act more quickly and effectively.
“The first step is putting the privacy officer and, where appropriate, the security officer, into action and, where needed for larger breaches, assembling a response team to manage the process,” Dornfeld says.
The response team might include the privacy and security officers, a compliance committee, and other relevant hospital officials. If cloaking the investigation in the attorney-client privilege will be beneficial to the hospital, legal counsel should be engaged as soon as possible, Dornfeld notes.
A key concern is stopping the breach, but Charlot says your first priority should be shutting off the flow of PHI and not necessarily ending the breach entirely if it involves a cyberattack from outside. In those cases, IT investigators will need to examine how the breach happened and what the attackers were after, and that can be more difficult if you slam the doors right away.
Because the breach investigation is the cornerstone of all actions to follow, the investigation must be undertaken and executed in a careful and planned manner, Dornfeld says. Everyone involved in the incident should be interviewed.
“My experience is that two interviewers to one interviewee, in a private area, is best. Careful and detailed notes must be taken of all interviews, including date and time,” Dornfeld says.
Other actions should be undertaken in tandem, she advises. If the breach involved electronic information, you must initiate a forensic investigation to determine the root cause, and you must implement mitigating actions to contain the breach or the root cause of the breach. Document all actions carefully.
Depending upon what you find out from your initial investigation, in some situations it might be prudent to talk to the subject of the breach: the patient, Dornfeld says. This action is especially the case if the individual who is the subject of the breach is the one who brought the incident to the attention of the hospital. In that case, the hospital should conduct an interview of the individual to elicit information or evidence that the patient might have about how the breach happened.
“This is also a good time to ask questions that may uncover the truthfulness or accuracy of allegations,” Dornfeld says. “However, the hospital should avoid providing too much information too early. Such conversations should include assurances that the hospital takes the privacy and security of patient information seriously and that it has initiated an investigation into the matter, has taken mitigating actions, if applicable, and will provide further information when available.”
The hospital should avoid making promises that it will fire those involved, even if the patient is requesting that action, Dornfeld says. “Diplomacy and apology at this stage is generally best,” she says.
Once all investigative actions have concluded, the response team should perform a risk analysis as required under HIPAA to determine whether there is more than a low risk that the PHI of the individual was compromised. If the answer is yes, the hospital must provide written notification of the breach.
Depending on the size and scope of the breach, the hospital might want to hire public relations professionals to help reduce the potential for reputational harm, Dornfeld suggests. All actions taken will need to be set forth in a written report the hospital retains in its files, she adds.
Your response plan should include coordinating with any outside parties that should be involved, notes Beth Strapp, health care customer segment manager and vice president, Chubb Specialty Insurance, Simsbury, CT. That coordination could include insurers, particularly if the hospital has coverage for cyber or network security.
“Most insurers these days have some sort of a breach coach as part of the insurance policy,” she says. “The breach coach acts as the quarterback, helping you analyze all aspects of breach and determine things like whether it violated additional state laws or federal regulations. If they think you need more help from forensics experts, for instance, they can bring that in, as well.”
Strapp notes that a breach cannot be handled optimally unless it is reported promptly to the right people. If an employee detects a breach but doesn’t report it properly, valuable time can be lost. “There’s a huge responsibility on the organization to make sure you are training employees to know who they are supposed to contact and the importance of doing so quickly, so the organization can, in turn, respond appropriately,” Strapp says.
After the initial response and investigation, follow-up actions by the oganization might include security risk analyses, technological changes to increase protections, changes in protocols for handling patient information, staff education, and staff discipline.
Dornfeld says, “Ultimately, every breach, small or large, should be used as an opportunity to remind all hospital personnel of the importance of protecting patient information and following proper privacy and security protocols.”
