Last month, a cyber-attack hit the U.S. Department of Health & Human Services (HHS), and an Illinois public health website suffered a ransomware attack. As one cybersecurity expert noted:
“The attackers know that [healthcare] organizations are so desperate at the moment to build ventilators, or to stop people from getting sick, and they are trying to exploit that.”
Healthcare Organizations Need a Privacy Incident Response Plan
More than ever, healthcare organizations need a robust privacy incident response plan in place to protect patient privacy and show good faith to regulators and the public. The HIPAA Breach Notification Rule requirements are an excellent standard for evaluating the effectiveness of your incident response plan now and after the crisis.
A Refresher on the HIPAA Breach Notification Rule
HIPAA requires that both covered entities and their business associates comply with the Breach Notification Rule. This includes:
- Performing a multi-factor risk assessment for every privacy or security incident involving unsecured PHI.
- Meeting your burden of proof. This means proving that you have provided notification or demonstrating that the incident is not a breach requiring notification.
- Notifying affected individuals, the HHS Secretary, and in some cases the media within certain timelines.
In addition, the methodology for multi-factor risk assessments must be consistent from incident to incident. And you need to be prepared to support your decision to notify or not notify with well-documented criteria.
6 Sure Steps for Healthcare Privacy Incident Response
A strong privacy incident response plan is the sign of a strong privacy program and includes these steps:
Step 1: Do Pre-Incident Preparation
Compliance with the HIPAA Breach Notification Rule depends as much on what you do before an incident as what happens after. To properly prepare for the inevitable privacy or security incident, your organization needs to:
- Build a ready-to-act privacy incident response team.
- Establish clear, simple policies, processes, and reporting mechanisms so that everyone in your organization knows how to identify an incident.
- Ensure that contracts with business associates (or covered-entity clients if you’re a business associate) are updated and in place.’
Step 2: Identify & Investigate
When a privacy or security incident involving PHI is discovered, your incident response team must investigate to determine the root cause, perform remediation, and document the facts of the incident. Accurate documentation is critical, because this is the information that will be assessed against the four compromise factors as outlined in the Breach Notification Rule.
Step 3: Risk Assess & Decide
With the incident information on hand, your privacy officer or legal team will conduct a multi-factor risk assessment to determine if the privacy incident is a reportable breach. Under the Breach Notification Rule, this incident risk assessment determines the probability that PHI has been compromised—the compromise standard.
Step 4: Notify
If you determine that notification is required, your privacy and legal teams have to be ready to quickly generate notification letters to individuals and regulators. OCR has specific requirements for notifying the affected population, the HHS Secretary, and the media. In addition, each state has its own unique requirements for notifying various state agencies, such as attorneys general, state insurance commissioners, law enforcement, and consumer protection agencies.
Step 5: Prepare Your Burden of Proof
According to OCR:
“Covered entities and business associates…have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.”
How well you meet this burden of proof depends on how well you document your incident response process. Your documentation should include:
- A policy on breach notification
- A copy of recent breach notifications
- A copy of any incident risk assessments where notifications were not made
- Documentation of the timelines, from breach discovery to breach notification
- Documentation of breach-related investigations
Step 6: Analyze
Afterward, take time to evaluate and improve your incident response process. This demonstrates your commitment to compliance with the HIPAA Breach Notification Rule and other regulations.
By examining privacy incident trends, you can identify recurring weaknesses or vulnerabilities, and thus allocate training, security measures, or other risk management resources to where they will be the most beneficial. Also, look at incident response metrics to see whether you’re consistently meeting regulatory deadlines and to see whether you’re tending to over- or under-report.
Who knows what the future will hold?
We live in an uncertain world, but one thing is sure: the time for a consistent, efficient incident response process that helps reduce risk is now. The privacy and well-being of your patients depend on it.