How to Do a HIPAA Incident Risk Assessment during the Coronavirus Pandemic
Patients aren’t the only coronavirus victims. In this time of turmoil, hackers are ruthlessly targeting healthcare organizations with double-extortion ransomware and other types of attacks. Working from home has broadened the “attack surface” for cybercriminals, making patient information even more vulnerable to privacy or security threats, and increasing the risk of a HIPAA incident.
At the same time, the U.S. Department of Health and Human Services (HHS) has relaxed its enforcement stance on the HIPAA Privacy Rule and other regulations. The agency is waiving potential HIPAA violations for doctors providing telehealth services through Facebook Messenger or FaceTime. It also issued a limited waiver of HIPAA sanctions and penalties for front-line hospitals battling COVID-19.
To keep your patient data “healthy” in this uncertain world, your healthcare organization needs a consistent and defensible process for privacy incident response. As we discussed in an earlier post, the HIPAA Breach Notification Rule is an excellent baseline for measuring the effectiveness of your incident response plan—especially the incident risk assessment.
Is Your HIPAA Incident a Reportable Breach? Do a Risk Assessment
The Breach Notification Rule requires you to perform a multi-factor risk assessment for every privacy or security incident involving unsecured protected health information (PHI). This incident risk assessment determines the probability that PHI has been compromised—the compromise standard—and must include a minimum of these four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the protected health information or to whom the disclosure was made
- Whether the protected health information was actually acquired or viewed
- The extent to which the risk to the protected health information has been mitigated
If your risk assessment concludes there was a low probability that PHI was compromised, you may decide the incident does not meet the legal requirements for a breach that requires notification. This may well be the case.
According to recent RadarFirst metadata, fewer than 8% of all incidents that passed through a proper multi-factor risk assessment and were sufficiently risk mitigated were notifiable breaches.
An important note:
With the inevitable spike in privacy and security incidents during the pandemic, you may be tempted to report anything that might remotely be notifiable. But over-reporting actually increases your organization’s breach risks, such as unwanted regulatory scrutiny, reputational damage, and lost business opportunities. Properly risk assessing each incident according to the Breach Notification Rule can help you avoid the pitfalls of over- and under-reporting.
2 Keys to a Successful HIPAA Incident Risk Assessment
The Breach Notification Rule requires that you:
- Be consistent in your risk assessments from incident to incident. With a consistent privacy incident response process and tools, you can automatically capture incident data and store it in a centrally accessible place. Then you can use this data to track and analyze incident and response trends over time, which gives you insight for making impactful improvements.
- Document, document, document. Your organization must maintain a burden of proof should your conclusions be called into question, or demonstrate that one of the existing exceptions to the definition of a breach applies. Everything about the incident must be documented to meet this burden of proof—investigation, assessment, and notification decision.
What to Do if You Have a Healthcare Breach
If the incident risk assessment indicates you have a notifiable breach, then your privacy and legal team has to follow specific OCR requirements for notification. Notification involves the following steps:
- Determine notification requirements by jurisdiction—that is, the jurisdiction of the affected individuals. Notification letters typically contain details of the breach, recommendations for protective action, mitigation steps, and contact information.
- Develop a notification schedule for individuals. Under HIPAA, this is no later than 60 days after the breach was discovered.
- Develop a notification schedule for regulators and possibly the media. If the breach affected 500 or more individuals, the 60-day notification deadline applies to HHS. All breaches are reported via an online form.
As mentioned earlier, be prepared with your documentation; HHS wants to know the details of the breach, such as the type of breach, location of breached information, number of individuals affected, and the type of covered entity (including if it’s a business associate).
In addition, each state has its own unique requirements for notifying various state agencies, such as attorneys general, state insurance commissioners, law enforcement, and consumer protection agencies.
Automation Brings Consistency to Incident Risk Assessment
The coronavirus pandemic has upended our world, a world in which the number of privacy and security incidents will continue to soar. Following HIPAA guidelines for incident risk assessment not only ensures compliance but creates a consistent pattern for determining if an incident is a notifiable breach.
Experts recommend implementing tools to automate as much of the incident response process as possible. Automation brings efficiency and consistency to every phase of incident response, including and especially the incident risk assessment. Given the uncertain times in which we live, that consistency is vital.
Topics: Incident Response Management