Are you prepared in the event of a HIPAA breach?

HIPAA is not a new issue for healthcare providers; however, the ever changing threat landscape along with the OCR’s renewed commitment to compliance and enforcement, reinforces the need for healthcare providers to ensure that they are focused on preparing for privacy or security issues that are increasingly occurring.

Unfortunately, due to the necessary growth technology in the healthcare sector, it is likely that significant breaches will continue to affect the healthcare industry.

Due to the increasing breach risks there are two vital issues that need to be addressed for any healthcare provider:

  1. Traditional compliance efforts designed to train staff and ultimately prevent problems from occurring.
  2. Preparation for responding to a breach if one occurs.

Although these two areas involve some overlap, many healthcare organizations have neglected “breach readiness.” If a breach occurs, there are a number of protocols that need to be initiated almost simultaneously. A comprehensive breach response protocol can limit your economic and reputational damage and get you through an incident with as little damage as possible.

So what are the keys to breach preparation? 

1. Be Prepared to Respond Quickly

It is critical to minimize the amount of time spent figuring out what happened. Whether the underlying incident was caused by the hospital’s business associate vendor or by a member of the hospital’s workforce, it is critical that the potential breach is reported to the hospital’s privacy officer as close to immediately as possible. It can be challenging to avoid reporting time lag when the incident is caused by a vendor (something that should addressed when negotiating vendor agreements), providers should take the time to ensure that all workforce members are educated as to when a “situation” becomes a HIPAA breach. Although a breach brings with it some unavoidable exposure, your ability to respond quickly and appropriately goes a long way to minimize that exposure.

2. Get the Right Teams in Place

Internally providers need a standing committee made up of the key decision makers in a breach situation. Typically this includes the privacy officer, security officer, the compliance officer, the chief information officer, a member of the legal team, and a member of the public relations team. If your legal team does not have HIPAA expertise, it’s prudent to have a relationship with outside counsel that has navigated breach response and OCR investigations.

3. Take care of the basics.

If a breach occurs, especially one involving 500+ records, hospitals should brace for the inevitable OCR investigation. The investigation will focus on the incident that caused the breach; the OCR will also want to take a look at the hospital’s overall HIPAA compliance program. You should ensure that certain core compliance documents are in place. The OCR will most likely ask to review the following:

  1. Privacy and security policies and procedures including those associated with responding to a breach.
  2. Training.
  3. Logs showing that training has been completed.
  4. HIPAA Security Rule risk assessment and associated yearly updates.

While no one wants to have a breach occur, it’s important that you’re prepared for a variety of compliance scenarios. If you have any questions regarding HIPAA compliance or breach protection, call ITPAC today.