- When passed through a proper multi-factor risk assessment and sufficiently risk mitigated, only 6.5% of all incidents in the healthcare sector were notifiable data breaches last year.
- The risks of presuming all incidents are breaches include unwanted regulatory scrutiny, reputational damage, and lost opportunities.
- 6 steps to include in your privacy incident response process to avoid over- or under-notifying.
Read more below.
A quick peek at the U.S. Department of Health and Human Services (HHS) Breach Portal and it reads like an action thriller: healthcare breaches are an everyday occurrence, caused by hacking. This portal is where the Office for Civil Rights (OCR) posts healthcare data breaches involving individuals’ protected health information (PHI). More commonly referred to as the “Wall of Shame” by the healthcare industry — reminiscent of Nathaniel Hawthorne’s The Scarlet Letter — the portal lists breaches involving 500 or more individuals, a requirement under the HIPAA Breach Notification Rule.
If the HHS Breach Portal leaves you a little dismayed, we may have a happily-ever-after ending for you. Did you know that, according to aggregated metadata from Radar users, when properly risk assessed through the Radar intelligent incident response platform, 93% of privacy incidents were not notifiable in 2020? Or, that organizations who presume every incident is a breach tend to over-notify when faced with notification decisions?
Only 6.5% of all incidents in the healthcare sector that passed through a proper multi-factor risk assessment and were sufficiently risk mitigated, were actually notifiable data breaches, according to recent RadarFirst metadata in the 2021 Privacy Incident Benchmark Report. This is consistent with our findings over the past three years, based on the statistics from our incident response management platform.
Is Your Incident a Breach?
Is your HIPAA incident a reportable breach? Download the eBook, Compliance with the HIPAA Breach Notification Rule, to get a refresher on what the law entails and incident response best practices. Large or small, every incident requires your privacy team to make that determination. You may be tempted to report anything that might remotely be notifiable, especially with the spike in privacy and security incidents during the pandemic. But doing so puts your organization at risk for unwanted regulatory scrutiny, reputational damage, and lost opportunities.
Properly assessing each incident according to the Breach Notification Rule can help you avoid over- and under-reporting. Read Too Much or Too Little? The Risks of Under- or Over-Reporting Incidents.
When organizations leverage an intelligent incident response solution that provides notification recommendations, over-notifying or under-notifying is no longer an issue. Learn more about data breach notification and how to assess your incident risk assessment.
Causes of Breaches in Healthcare
While breaches tend to make headlines, errors are the primary cause of breaches in healthcare — certainly not as eye-grabbing as hacks and ransomware. Our latest findings across all industries indicate that the vast majority of incidents are unintentional, caused by employees and staff — and that less than 2% of all incidents were malicious in nature. “The top mistake within healthcare is…misdelivery,” echoes Verizon’s 2020 Data Breach Investigations Report. The HHS Breach Portal has several reports of unintentional disclosures by employees, including:
“inadvertently mailed the protected health information (PHI) of 8,730 individuals to the wrong recipients”
“an employee sent an email containing the electronic protected health information (ePHI) of 17,050 individuals to the wrong recipients”
“an employee inadvertently mailed billing statements containing the protected health information (PHI) of 1,514 individuals to the wrong recipient”
How can these breaches be mitigated? Under the HIPAA Security Rule, training is required for anyone who comes in contact with PHI. There is an abundance of HIPAA training available for both covered entities and business associates — HIPAA Journal is a good resource. To reduce incidents, it’s important that employees are informed on how their behavior may impact incidents and how disclosure of information may constitute a breach.
6 Steps of Privacy Incident Response
The next time you’re faced with a privacy incident, consider these six steps for a consistent, efficient process for incident response so that your organization can protect patient privacy and meet HIPAA breach notification requirements:
- Do Pre-Incident Preparation. Compliance with the HIPAA Breach Notification Rule depends as much on what you do before an incident as what happens after.
- Identify & Investigate. When a privacy or security incident involving PHI is discovered, your incident response team investigates to determine the root cause, perform remediation, and document the facts of the incident.
- Risk Assess & Decide. With the incident information on hand, your privacy officer or legal team will conduct a multi-factor risk assessment to determine if the incident is a reportable breach.
- Notify. If you determine that notification is required, your privacy and legal teams have to be ready to quickly generate notification letters to individuals and regulators.
- Prepare Your Burden of Proof. “Covered entities and business associates…have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach,” states the HHS Office for Civil Rights.
- Analyze. Take time to evaluate and improve your incident response process. This demonstrates your commitment to compliance with the HIPAA Breach Notification Rule and other regulations.
Privacy incidents involving PHI and personally identifiable information (PII) in healthcare settings are inevitable. How your organization handles incident response is critical. Your organization needs a consistent and efficient method for every step of the incident response process, so you can protect patient privacy and avoid the pitfalls of over-reporting or under-reporting.
What’s important is to have a go-to incident response plan that protects patient privacy and shows good faith to regulators and the public. A good ending starts with a good beginning.
Read more about how a consistent, repeatable intelligent incident response process can help your organization: Fortune 200 Healthcare Company Cuts Incident Risk Assessment Time by 50% with Radar.