HIPAA Compliance Strategies

Featured Health Business Daily Story September 26, 2007

Six Steps to Take to Limit Your Liability in the Event of a Patient Privacy or Identity Theft Breach

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

The worst has happened. A privacy and security breach has occurred, exposing Social Security numbers and other information about thousands of patients to anyone with Internet access. Or maybe a laptop computer containing patient data is missing. You hear the news; you catch your breath. Then what?

What steps should you take to minimize the possible damage - to ensure that your patients do not become victims of identity theft?

RPP asked Jeffery P. Drummond, a partner in the health care section of Jackson Walker, a Texas law firm, to provide tips and strategies for damage control in the event of a breach. Drummond frequently speaks on privacy and security issues and HIPAA, and operates a popular blog at http://hipaablog.blogspot.com.

The steps to responding to a breach, he said, include a reality check, assembling the right people, telling your story, disciplining those responsible, accounting for the disclosure and learning from the experience.

(1) Reality check. You may have a small, non-newsworthy event on your hands or a big event that could make the front page. The first thing you need to do after learning of a breach or possible breach is "a reality check" to discover what really happened, what is missing, how it happened, and, finally, how great is the risk that the data could be misused.

This helps you determine whether to notify patients. Secondarily, you do an assessment to ponder if more harm could result from notification.

(2) Assemble the right people. After an incident occurs, you need to quickly rally the troops and bring together all your personnel who are going to help you respond to it. "Your IT people, your lawyer, your c-level executives" (chief executive officer, chief operating officer, chief information officer, etc.), Drummond said.

Don't forget your public relations staff and outside individuals who might also be essential, including disaster recovery specialists if you have lost data and a credit monitoring service to offer to affected patients.

"PR people and lawyers, I think, will have the biggest impact" on how well you handle the breach, Drummond said.

(3) Tell your story (if necessary). Once your team is in place, it will determine the steps you will take, including whether to notify patients and the public. Pay attention to state laws as well. For example, Texas state regulatory and licensing authorities have the right to randomly review patient files, and an organization must document in patient files whether any data has been disclosed without authorization.

Similarly, state laws may require notification to affected patients. "You need to know what your legal duty is," Drummond said. Under HIPAA, he added, "you have to mitigate any known harmful effects."

But you may not want to stop there. Drummond cautioned that, particularly in a field where patient trust and your public reputation are so important, "you also have an ethical duty to do what you think is right for your patients."

If You Notify, Offer Specifics Promptly

If you decide that notification is required, "tell people as soon as possible in a way that does not create panic," Drummond said. "You can't run out and yell fire." He recommends offering specifics about what happened and steps you are taking to mitigate the breach, including whether you are offering any credit monitoring.

How you notify affected individuals will depend on how many are involved. "If the data is on 100,000 people, you might not be able to locate them all," Drummond said. "If the data was on 50 people, it might be feasible to contact everyone." Do so "as soon as you can without jeopardizing the investigation."

Drummond represents a group of physicians who had a break-in at their office and had several laptops stolen. After reporting the theft to the police, they learned that a number of buildings in the area — that did not involve health care businesses — had recently also been burglarized, with computer hardware missing.

The authorities told the physicians they were certain the thieves were after only the computers, that they would probably be "scrubbed" clean and then resold. The police, Drummond said, were convinced that the thieves were not stealing the data to engage in identify theft. "It appeared to be a crime wave that involved buildings in the area," Drummond said. Given this, Drummond advised the physicians that they did not have to notify patients of the theft.

Drummond noted that in Texas, the law strictly defines what a breach is, which ties into whether notification must be given. If the Texas physicians had believed this was necessary, they would have been hampered in doing more than a global announcement of a theft because they were not sure which patient data were actually on the computer. "They did think there was some protected health information on the laptops, but they were not really sure what was on them," Drummond said.

(4) Discipline those responsible. If you can pinpoint blame in the incident, you need to take action to punish them, Drummond said. You should follow your own policies in this regard, such as those you have specified for unauthorized uses and disclosures, or for HIPAA compliance in general.

'Heads Need to Roll' if Someone's Responsible

But Drummond said he believes strongly that individuals responsible should be terminated whenever possible, bearing in mind whether the person is in a union or may have rights to a grievance procedure. "If there is someone responsible, heads need to roll," he said. "That person needs to be fired and marched out of the building by security."

This will send a message to other employees that infractions will be treated seriously, especially if you don't have instances like this happen very often. "It will scare everyone, and fear is a good motivator," he said. If a third party or a vendor is responsible, you may also want to terminate your contractual relationship.

(5) Account for the disclosure. According to Drummond, a breach or data loss is required to be logged as an unauthorized disclosure. He noted that the documentation must specify what happened and what was done to meet the mandated obligation to "mitigate any known harmful effects" of the disclosure.

So in the case of the physician group, they needed to note that "they knew, with a high degree of confidence, that these were going to be sold for their hardware value; the police were backing them up that this was a hardware theft. They had no reason to suspect there were any known harmful effects," Drummond said.

In addition, if you know the actual patients affected, you must note the loss in each of their charts.

(6) Learn from the experience. Do you have a flaw in your privacy and security compliance policies and procedures? What changes are necessary to prevent a similar occurrence?

In the case of the physicians, the data on the laptops were not encrypted or password protected - measures the physicians realized were necessary, and they put these in place for their other computers, Drummond said. "If this is truly a data breach, if data is core to the incident...if you have someone hacking in or a firewall breach, you need to be much more intensive in your dealings with it," Drummond said.

Drummond warns against falling into the "bad boxer" trap. A bad boxer covers the spot he was last hit, but doesn't think about how to protect other vulnerable spots that haven't been attacked (yet). "Do a specific review of your whole system, and look for areas where you could have similar problems," he said. "Then, be creative, and figure out where your other weaknesses might be."

Part of your analysis should include whether you missed any red flags if the breach was caused by a vendor. Was your business associate agreement airtight? Did you do appropriate due diligence before you selected them? "Tech companies bloom and die daily," Drummond cautioned.

"Sometimes [a firm] is just a bunch of guys from brand X who form brand Y. They might be all the smart guys, but they might be all the stupid guys. There is a lot of risk out there. You have to be very cautious."

And finally, remember what is at stake in all of this. "I am a believer that the PHI is of little value beyond the Social Security numbers. Unless you are a celebrity, no one cares about Aunt Edna's gallbladder" or other medical information, Drummond said. But he adds, that "even though the great likelihood is that individuals are not going to be harmed, your reputation and your good name are toast if you don't react appropriately."

Advertise With AIS

Privacy

Site Map