They say no news is bad news, and what you don’t know can’t hurt you. These and other maxims are fine if you’re an ostrich with its head in the sand. For privacy-minded healthcare organizations, a better truism applies: Knowledge is power—especially when it comes to privacy incidents involving sensitive patient and member information.
HIPAA compels covered entities and their business associates to consistently risk assess every incident in their organization. Beyond compliance, however, incident response information serves as a catalyst for action. The ability to track and analyze incident and response trends over time gives you insight for making impactful improvements. For example:
- A greater volume of incidents shows that your employee training is working. Privacy training has a somewhat surprising benefit— more incident reporting. You may even see an increase in the number of incidents being reported, but a decrease in the number of reportable breaches.
- Regular, real-time reporting lets you respond to problems from the start. Say you notice a month-over-month increase in incident volume. The privacy team can investigate the source of the increase—such as from a particular department or location—and mitigate the problem with timely reminders and training.
Tracking and risk assessing incidents is essential to establishing an effective privacy program and to demonstrating compliance to OCR and other regulators. Yet with data and systems sprawled across locations and departments, efficient, consistent incident response management is extremely difficult.
Inconsistency leads to subjectivity which leads to the possibility of under- or over-reporting breaches. You may provide unnecessary notification or fail to notify where it is required. Either way, you risk regulatory action, diminished reputation, and potential harm to patients and members.
Automated software improves incident response with timely, consistent processes
There is hope, as healthcare and other industries increasingly realize the need for a better incident response process. The 2018 Gartner Hype Cycle for Privacy report listed the data breach response category as having a high benefit rating, with relevant technologies “enabling new ways of performing horizontal or vertical processes that will result in significantly increased revenue or cost savings for an enterprise.” And the most recent IAPP-EY Annual Governance Report notes that compared to 2017, a greater share of privacy spending in 2018 has gone to technology and tools (up from 9% to 12%). Even better, an IAPP-TrustArc study found that while the budget for incident response resides in IT/infosec for 58% of organizations, it’s up to privacy pros to influence purchasing decisions—which nearly 70% of of respondents said was the case.
Thanks to technology, covered entities and business associates can automate every phase of the incident response process—from tracking to risk assessing to notifying. Costs go down, accuracy goes up, and your privacy team can scale its program with confidence. With greater consistency and efficiency, breach notification decisions are objective rather than subjective. And better incident tracking improves your reporting, so you can more proactively identify areas for improvement.
Top health insurer speeds incident response and cuts costs: A case study
A Fortune 50 insurance company with millions of members faced many of the above challenges—a massive workload, an inefficient risk assessment process that included time spent researching laws and gathering documentation, and limited visibility into the volume and location of incidents across their organization.
The company had several choices to address their needs: an in-house database, their existing GRC platform, or RADAR incident response management software. Only RADAR provided the functionality—including built-in HIPAA and state laws—that could meet all of the insurer’s immediate and long-term needs.
“RADAR is a huge time saver...All the federal regulations and state laws are in one place and kept up-to-date by RADAR. In the past, our incident risk assessments were painfully slow.”
— Privacy executive a Fortune 50 health insurer
RADAR has reduced input hours, provided more accurate incident data, and helped automate incident risk assessments for more consistent decision-making. Consistency and better reporting let the privacy team analyze the incident workload and increase the capacity to respond to those incidents. Moving forward, RADAR’s integration with the GRC system will enable both privacy and security to report incidents and collaborate so the insurer can reduce risks to sensitive customer data across the organization.