The following blog post was written by Al Tripodi, Quality Auditor Associate at RMS.
It’s probably not surprising that there has been an increasing number of HIPAA Breaches across the country. There is no question that as you hear of these breaches, you consider how to put more rigor around prevention. Here are 12 best practices that can “guide you and your company to a caring, compliant response, one that creates the most positive outcomes for everybody involved.”1
Step 1: Assemble incident facts.
Collect and produce digital data to be analyzed. Be sure to inventory the data and establish a chain of custody to track original media. Create a sound image of the original media for analysis with a backup copy. If possible, perform data analysis under attorney-client privilege.
Step 2: Examine the data.
Use the data to determine the facts of the potential breach, such as: was it benign or malicious; who was affected; source of the breach; data types, such as name, social security number, credit card number, health insurance information, etc.; level of exposure; third-party involvement; and whether the data was accessed or extruded.
Step 3: Document all findings.
Documentation should be presented in a clear, defensible way that can be upheld in courts of law and enforcement agencies. Record every action taken during data analysis. It’s important to understand the difference between an incident and a breach. Not every security incident is a data breach. A security incident is a violation of an organization’s security or privacy policies involving sensitive information. A data breach, on the other hand, is a security (or privacy) incident that meets specific legal definitions as per state and federal breach laws.
Step 4: Perform an incident risk assessment.
Use the findings of your data analysis to conduct an incident risk assessment to determine whether the privacy or security incident is a data breach that legally requires notification. Check to see if the breach meets the safe harbor requirements, which may exempt you from notification. Even if an incident is not a notifiable breach, consider risks to affected individuals and the reputation of your company if the breach is discovered and you choose to not notify.
Step 5: Stay up-to-date with the latest federal, state, and international laws.
The findings of your data analysis must be assessed against the most current breach notification regulations to determine if you have a notifiable breach on your hands. Multiple laws may apply to a single breach, depending on where you conduct business and/or the affected individuals reside. Regulations such as the HIPAA Final Rule have specific requirements and thresholds for when and how to notify affected individuals and the media. Forty-seven states and three territories have their own requirements for breach notification, which can often be more stringent than federal laws.
Step 6: Prepare to meet burden of proof.
Whether or not you choose to provide notification, regulators will want to know the reasons for your decision. Document all your findings and reports to support your burden of proof. You will have to demonstrate that you have a consistent, defensible method for incident risk assessment to show due diligence and regulatory compliance.
Step 7: Engage appropriate outside partners.
Outside parties such as your outside counsel, and insurance broker can drastically cut the cost and impact of breach response. Trusted vendors can help you meet legal requirements, protect potential victims, and preserve your company’s reputation. Select and contract with these vendors ahead of time, so they’ll be ready to team up with your internal incident response team if a breach occurs. Ask your broker to notify the insurance carrier of a breach to maximize applicable coverage. Engage outside counsel as soon as possible so all communications and documentation are protected under attorney-client privilege.
Step 8: Tailor your notification and response to the specifics of the incident.
Your breach response plan should be based on the demographics, customer relationships, and risk information of the affected population, to meet individual needs and best demonstrate compliance. Use current best practices, such as those offered here, for planning your breach response. Avoid copying the response of other companies. Their situation is not your situation. Keep the end customer in mind when formulating a response. If you were affected by a breach, how would you like to be treated?
Step 9: Ensure completeness of response.
These include: breach response project management; crisis PR; notification to the breached population, regulatory agencies, and the media; call center services and website; appropriate identity protection and monitoring; identity recovery services.
Step 10: Notify affected individuals, regulatory agencies, and the media.
Notify affected individuals, regulatory agencies, and the media in compliance with the latest regulations. All communications should be consistent and specific to the incident, and should include details of the breach, containment measures, ongoing investigation, services offered to affected individuals, and contact information. Have counsel review all notification communications to ensure compliance information. Notify all relevant federal and state agencies. These may include the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and the Attorney(s) General of the state(s) where you do business and/or where the affected population resides. Have sufficient resources in place to ensure prompt, appropriate notification, such as scalable call-center services, crisis public relations, etc.
Step 11: Provide the appropriate identity monitoring and protection.
Victims of a healthcare data breach, for example, need protection for their medical records as well as any financial information. In these situations, credit monitoring is not enough. Match your identity monitoring and protection offer to the type of data breached: medical identity monitoring for healthcare, credit monitoring for a financial breach, etc. Encourage your customers to be proactive about protecting their identities with educational resources and self-monitoring tools.
Step 12: Provide identity recovery services for victims of identity theft.
Helping the customers or patients whose identities have been stolen is the highest priority. Ask your insurance broker to recommend an insurance provider that provides identity reimbursement insurance. Provide either in-house or outsourced identity recovery experts to assist victims. Plan to assist with every aspect of identity recovery, from resolving disputes, filing complaints, and providing limited power of attorney.
With careful planning and the help of trusted experts, you can successfully mitigate the damage of a breach and provide the most positive outcomes for your company, its reputation, and your customers.
RMS Healthcare can provide consultation and training services to ensure HIPAA Privacy and Security Compliance within your organization. If you would like to learn more about HIPAA Privacy and Security Compliance or further discuss how RMS Healthcare can help you, contact our Senior Director, Healthcare Operations and Compliance, Susan Maxsween at SusanM@RMSresults.com or by calling (315) 635-9802.
Source: IDExperts: 12-Step Program for Data Breach Response