Timing is Everything
A data breach within your business. You think it won’t happen, you hope it doesn’t happen, but what if it does happen? What are your next steps?
Like most things in healthcare, timing is essential. You need to think quickly and act swiftly during a time when your head might not be set and sorted to do so. And again, like our own health, preparation today can allow for survival and a healthy outcome in the end.
Doing a risk assessment is the first step. You can’t fix what you’re unaware of. If there are gaps in your security posture, they need to be addressed by you, not found by a cybercriminal. Then these gaps can be closed, the weaknesses strengthened, and ongoing education can be set up alongside strong cybersecurity and HIPAA compliance products and tools. Being proactive is key in saving time, money, and potentially your business, but if you are reading this because you’ve been breached, or suspect you’ve been breached, you’ll need to kick into reactive mode – quickly.
What is a Breach?
The US Department of Health and Human Services (HHS) defines a breach as “generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” If your business can demonstrate that there is a low probability of the PHI being compromised, then it can be dismissed as a “breach” – but something to address, nonetheless. Demonstrating this low probability is based on a risk assessment of the following factors:
1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been mitigated.
If you are determined to have been the victim of a breach, you need to follow the Breach Notification Requirements. This means as a covered entity, you must notify the individuals who are affected, the Secretary of Health and Human Services, and the media in certain circumstances. That notice must be in written form to the individuals via first class mail, or e-mail IF the person affected has agreed to receive their notifications electronically. Should it be discovered that 10 or more of the contact records are outdated, the notice must be on their home page for 90 days or via an alert on a major print or broadcast media in the market where the individuals reside. This alert must include a toll-free phone number where people can call to see if they were affected by the breach.
The covered entity has 60 days following the discovery of the breach to provide these individual notifications, which should include a description of the breach and the description of the information that was compromised. Additionally, the steps that should be taken by anyone affected to protect themselves are to be included, and a brief description of what the covered entity is doing to investigate the breach and mitigate the damage as well as prevent future breaches should also be included.
If you are involved in a breach, there are additional steps and measures that should be taken immediately or as soon as possible – and we can help. There are different rules that apply to business associate relationships and additional administrative requirements that must be followed, and without the guidance of a trusted advisor in a situation like this, you may be opening your business up to further damage.
While it stands that employees have “some understanding” of HIPAA, having the right partner with you during these times is critical as hiring a qualified electrician to wire your house – not someone who has “some understanding” of how it should be done.