Last week we covered performing a HIPAA Risk Assessment, and also did a webinar on electronic devices. Needless to say it’s been a busy week here at Total HIPAA Compliance. Without further ado…
We have a HIPAA Breach!
These words will make any practice owner’s heart sink! Do you call all your patients? Do you call HHS? The police? What do you do first? How do you minimize the damage this will do to your practice? We are going to break this down into easy-to-follow steps on how you should manage a Breach.
Step 1 – Take a Deep Breath
There are large medical practices and small ones that have had Breaches. I say this so you know you’re not alone. You aren’t going to resolve this problem in one day. It’s going to take time and investigation to determine what happened and you need to keep your wits about you as you work through this. Ok, enough breathing, let’s get started.
Step 2 – What information was released, and who was responsible?
This isn’t looking for someone to blame as much as figuring out where the holes are in your Compliance Plan. You want to figure out what happened. Is this a theft? Did an employee steal the information? Is it malware? Is one of your Business Associates negligent or is one of their Subcontractors responsible?
If you determine theft was involved, you need to contact local law enforcement. For cyber attacks, you can contact your local FBI branch.
Make sure you are open about what has transpired and they will walk you through the process.
Step 3 – Formulating a Plan
Before you run out and notify any patients, make sure you have a consistent plan for notification in place. For example, if your Business Associate had a Breach, you want one contact point for all parties involved. This can be your Privacy or Security Officer or the Business Associate’s; but make sure you are consistent, and inform all employees as to where to refer questions and concerns. Let employees know their cooperation in this is vital. Part of their job is going to be reassuring your patients that, going forward their information is secure. You want everyone on the same page, and working together to help rebuild trust.
Step 4 – Notifying Patients
You have your plan in place. Now it’s time to notify those clients whose information has been compromised. You need to let them know about the Breach as soon as possible, but no later than 60 days from the discovery of the Breach. You can do this via phone, email or first class mail. If you believe that there is an imminent threat—say an employee has stolen the information—then you should make phone calls. Also, if you have out-of-date contact information for 10 or more patients, you must post information about the Breach on your website homepage for 90 days.
This is embarrassing, but it’s best to be open and honest about what has transpired. The key is to give as much information to your patients as possible without compromising the investigation. This means letting them know what kinds of information was released and how they can protect themselves. A good rule of thumb is: ‘What information would you want to know in this situation’?
Many groups that experience a Breach will offer their patients 1 year of credit monitoring service. This can be an expensive undertaking, but losing their good will, or even losing them as patients, can be much more expensive!
Step 5 – The 500 Rule
According to HIPAA, if you have a Breach of over 500 patients’ information, you are required to notify HHS and local media outlets, plus post information about the Breach to your website in a conspicuous place within 60 days of discovering the Breach. There is a form on HHS’s website to do this
If you are in the State of California, or have any patients from the State, you must also notify the California Attorney General’s Office.
47 states have Breach notification laws, and it’s important that you familiarize yourself with your state’s, and follow the guidelines. Here is a list of the laws to date.
Step 6 – Under 500 Rule
If you have fewer than 500 patients whose information has been disclosed, then you are still required to notify the patients as soon as possible or within 60 days.
You do not have to notify local media and HHS at the time of the Breach, but are required to submit an accounting of the Breach to HHS at the end of the calendar year. You can submit your report online here.
Needless to say, the best plan is to secure your patients’ health and credit information, properly implement a HIPAA Compliance Plan, encrypt all digital data, and properly train your staff on their responsibilities. This is cheaper and more effective than trying to mitigate a Breach after the fact, and can save you many headaches down the road.
Next week I will be doing another webinar with Dan Brown of Taylor English Duma LLP on Bringing Your Own Device (BYOD). You can register for this webinar here.