Last week we discussed incident investigation and determining when an incident is classified as a breach. This week we will take the next step and discuss what you need to when you have determined that an incident is a healthcare data breach. This is especially timely in light of OCR’s settlement last week with Presence Health for lack of timely breach notification. We will discuss each of the parties that must be notified in turn.
- Notification to the Affected Individual
You must notify an affected individual that their Protected Health Information has been breached within 60 days of discovery. That is within 60 days from when your incident investigation determined there had been a breach. Your notice should include the following,
- A brief description of the breach;
- A description of the types of information involved in the breach;
- The steps they should take to protect themselves from potential harm;
- A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and
- Contact information for the covered entity.
Notification should be made by mail, or e-mail if individuals have agreed to e-mail communication. If you cannot find contact information for 10 or more affected individuals, you must provide notice on your website homepage or in a major print or broadcast media for at least 90 days. This must include a toll free number where individuals can call to see if they were affected.
- Notification to the Media
For breaches over 500 individuals, you must also notify the media in the area where affected individuals live. This is typically done in the form a press release and also must be done within 60 days of discovery of the breach.
- Notification to the Secretary
For breaches over 500 individuals, you must notify the Secretary of Health and Human Services within 60 days of discovery. For breaches under 500 people, you must notify the Secretary within 60 days of the end of the year in which the breach was discovered. For both, the HHS electronic breach form is to be used.
- State Requirements
You should also keep in mind that many states have added requirements to these federal requirements. Some states have shortened the notification time to the individual and added state officials who must also be notified (i.e. state Attorney General). Be sure you are aware of your state’s requirements.
In summary, in all breaches you will have to notify the individual within 60 days of discovery well as the HHS Secretary. The clock starts when you determine that a breach has occurred, which typically follows an incident investigation. Failure to timely notify affected individuals or HHS can lead to costly fines.
Lessons Learned From The Largest HIPAA Fine
There’s an age-old adage: The chicken or the egg? Which one came first? In a lot of ways, when it comes to a time-tested cybersecurity program, the same goes for security or compliance. And, are they different?
Many people ask the seemingly simple question “what do I need to do to be compliant?”
Unfortunately, that question doesn’t always a simple answer, and the answer varies by organization. Another common question is “what do I need to do to be secure?” Another complicated and organization-specific answer is required.
However, many organizations confuse security and compliance to be the same thing, when in fact they are quite different.
Cybersecurity protects the protected health information (PHI) your organization has access to from threats by controlling how it is used, consumed, and provided. Compliance, in particular HIPAA compliance, is a demonstration of those safeguards.
However, being compliant with specific safeguards does not ensure that information will be secure and private, as the requirements that are prescribed in regulations are either minimum baselines, or are open to interpretation and not prescriptive. To merely strive for compliance would be essentially trying to only meet the minimum requirements.
A good security program is constantly evolving and improving. While regulations attempt to push for this result, it becomes nearly impossible to define and enforce.
It is immaterial whether compliance or security comes first. If compliance is first, it is a solid foundation on which to build a security program. If security is the initial objective, compliance will be a natural byproduct. In the end, preventing impermissible access and disclosure of PHI must be the goal and the best way to do this is through an ever improving, and evolving, cybersecurity program.
The end of the year is almost here, and that means now is the time to begin completing those HIPAA security and privacy items you need to get done before December 31.
HERE ARE THE TOP 3 THINGS YOU SHOULD COMPLETE BEFORE 2017:
1. Test Your Backup
If you have not done it this year, we strongly encourage you to test your backup before the end of the year. Having a backup that you can easily transition to is the best way to guard against the most devastating cyber attacks (i.e. ransomware). While simply having a backup is a positive step, if that backup has never been tested how confident are you that it can be relied on during a crisis? It is better to test it now and be confident it is reliable if needed.
2. Conduct a Security Risk Assessment
All organizations, both covered entities and business associates, must conduct an annual security risk assessment – have you done one this year? Or at least started? Your risk assessment should include an inventory of all assets that create, maintain, receive, or transmit PHI. It should also include an assessment of risks, threats, and vulnerabilities, and should cover the entire organization. If you have not done so yet, begin planning now to at least start one before the year’s end.
3. Inventory Business Associates and Business Associate Agreements
Before the end of the year you should ensure you have a thorough inventory of your business associates and all business associate agreements. You may have business associate agreements that will expire at the end of the year, or need renegotiation for other reasons. Make sure to plan, as you will need ample time to have those negotiated and executed before they expire.
HIPAA compliance is a continuous endeavor which requires planning and diligence. The start of the fourth quarter of the year is logical time to determine what still needs to be completed before the end of the year, and if you’re just now starting these processes there are organizations that can help you get this work done quickly.
An often overlooked aspect of HIPAA compliance is the selection of a HIPAA compliance officer or HIPAA privacy officer. These roles are often filled by default and given to the person with the closest proximity to tasks these roles typically focus on.
The security officer role tends to be passed to the IT manager, while the privacy officer role typically goes to the individual in charge managing medical records. However, HIPAA security officer and HIPAA privacy officer roles are critical to ensuring data is protected throughout the entire organization, and compliance is maintained. Therefore, the selection of individuals to these roles should be determined by thorough analysis.
Here are a few traits you may want your privacy and security officers to possess:
- Broad understanding of organizational processes: In order to be effective in either role, an individual must have a global understanding of how the organization operates, how PHI flows into and out of the organization, how PHI is utilized, and where it is within the organization.
- Attention to detail: You want people in these roles that can spot policy violations or needs for procedural changes simply by walking around the organization. You will also want someone who can think creatively about best practices. The individuals in these roles will not only need to spot and stop potential violations, but will need to identify better ways of operating that balance staff needs with adequate protections.
- Strong leader: The security officer and the privacy officer will be your data protection champions. They will set the tone for the entire organization when it comes to implementing privacy and security safeguards. Their job is to create a culture of compliance throughout the organization.
There are other considerations to keep in mind beyond just selecting the right individual to fill the roles. Will these roles be filled by someone on staff or will they be outsourced? The best practice is to fill the roles with someone on staff. There is no preclusion from outsourcing these roles, but it is advantageous to have someone who is consistently onsite and has an intimate understanding of the organization serving in these capacities. It is often best to have the security and privacy officers on staff and backed up by an outsourced experts who can provide them guidance as needed.
Another aspect to consider is whether to have one person fill both the security officer and privacy officer roles. The rule of thumb is that it can be one person if that one person has sufficient time to adequately complete both roles. Most often this is not appropriate for larger and more complex organizations, but it does tend to work well in smaller organizations.
Regardless of who serves in the roles of security and privacy officer, it is imperative they understand and embrace the importance of the role. Good security and privacy officers can lead positive changes that permeate through the entire organization.
More and more the healthcare industry is adding cyber insurance as a component of its risk management strategy and a part of required healthcare cyber security program. However, claims filed against cyber insurance policies are often denied for preventable but overlooked reasons.
Here are the three top things to keep in mind if you currently have a cyber insurance policy or if your organization is considering one:
- Accurately represent your current risk management strategy, as well as type, amount, and location of PHI maintained. Just like any other insurance offering, inaccurate statements on the application can be grounds for claim denial.
- Be aware of any security measures the insurer requires of your organization. These could be detailed requirements, such as an annual security risk assessment, periodic workforce security training, or evidence of implemented safeguards. However, typically the policies are not explicit and require “reasonable” safeguards be in place. The rule of thumb in these instances is that if it is a safeguard that HIPAA would deem required or reasonable for your organization, the insurer will deem it reasonable as well. Lack of having safeguards in place could limit how much of a claim is paid out, or lead to an outright denial.
- Incorporate the cyber insurance provider into your incident response plan. Many cyber insurance policies require organizations to notify the insurer first after an incident is discovered. This is because the insurer will often have contracted with outside organizations to handle different aspects of breach investigation and response for policy holders. Failure to follow this protocol could result in certain expenses incurred prior to notifying the insurer being denied.
While cyber insurance can be an asset to an organization if a breach occurs, it is not a cure-all risk management strategy. It should be combined with other reasonable safeguards which could prevent a breach from occurring in the first place.
In HIPAA compliance, time and financial resources must be allocated in the ways that provide the highest return on the investment. Traditionally, that has meant implementing technology solutions that prevent, identify, end, or mitigate a breach situation. However, this strategy assumes one important factor; that the technology is implemented and utilized correctly. At some point all technology solutions must rely on the human factor to be effective. Therefore, whether you are a covered entity or a business associate, a properly trained workforce is the more important thing you can do to ensure HIPAA compliance.
HIPAA training can be relatively easy and inexpensive to complete. The most important determinations are what will be contained in the training, how the training will be delivered, and how frequently staff will be trained.
What Will Be Contained In The Training?
Each organization must determine for itself the specific topics it will include in its training. Ideally, the training will not exclusively be something produced for a generic audience, but is customized to your organization. The idea is not to conduct training on the HIPAA law, but to train on your organization’s HIPAA safeguards. Training topics could include,
- What is PHI and where is it in our organization;
- The Minimum Necessary Rule;
- When and how to disclose PHI; and
- How to give patients’ access to their PHI.
- Phishing, ransomware; and other current threats;
- Encryption; and
- Mobile device and remote access security.
Incidents and Complaints
- How to file a complaint;
- What to do if you receive a compliant; and
- Roles and responsibilities in complaint investigation and breach response;
How The Training Will Be Delivered?
You can utilize generic training for some aspects of your HIPAA training, but you want to make sure that your organization’s specific safeguards are outlined (i.e. the specifics of your password requirements, or who to contact to report a complaint or a breach). Popular methods include video based training and classroom training. These can be effective when supplemented with organization specific information.
When To Train?
HIPAA training must be provided at least annually to anyone with access to PHI. It must also be provided to individuals when they are hired or when their job functions change to require them have access to PHI. Periodic training is a best practice. It can be done via webinars, classroom sessions, or even e-mails (like this one). The more emphasis the organization places on educating staff on its privacy and security safeguards, the more of a prioritization it will be to the staff themselves. Frequent training, or training reminders, can easily create a culture of compliance which will make all the safeguards in place more effective.
What To Include In HIPAA Security Training