Whether it occurs as the result of a lost work laptop or stolen patient files, a data breach of the Health Insurance Portability and Accountability Act (HIPAA) is a worst-case scenario for healthcare providers (and patients). If you’re a healthcare provider, the minutes, hours, and days following a breach are nearly as important as the steps you take to prevent those breaches in the first place. If you experience a HIPAA breach, here’s what you can do to help protect your patients—and your practice:
Legally, healthcare providers must investigate any suspected breach. That means your practice must determine the size and scope of the breach to assess whether the probability that PHI has been compromised is low or high. Specifically, Medical Economics recommends performing a risk assessment based on these questions:
- What is the nature and extent of the PHI involved? What types of identifiers does the data include, and how easily could they be re-identified?
- Who received or used the PHI?
- Was the PHI actually acquired or viewed?
- Has the risk to the PHI been mitigated? If so, to what extent?
Furthermore, you’d need to establish the number of affected patient records, as this number is crucial to the next step in your breach survival guide.
The manner in which you handle post-breach communications can make or break your practice. (Psst—your practice should already have crisis messaging in place for such an occasion.) As much as I’m sure you’d love to keep the breach quiet, well-timed and strategic communications with your patients, employees, business partners, and vendors will help manage patient concerns and minimize the spread of misinformation. Plus, your practice is legally required to notify the affected patients—regardless of the scope of the breach.
However, there are two additional reporting requirements that do depend on the size of the breach:
- According to the U.S. Department of Health and Human Services, “A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals.” If the breach affects fewer than 500 patients, your clinic isn’t under much of a time crunch. So long as you report the breach to the Office for Civil Rights (OCR) “within 60 days of the end of the calendar year in which the breach was discovered,” you’ve fulfilled your reporting requirements (though you can report sooner, if you wish).
However, if you experience a breach that affects 500 or more patients, your clinic must report the breach electronically “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.” This Government Health IT article explains that if you do need to report the breach to the OCR, you’ll need to document several key pieces of information, including:
- the number of affected patients;
- your practice’s efforts to notify those patients;
- a description of the type of PHI that was compromised;
- steps individual patients should take to protect their privacy; and
- a description of your damage-control efforts and how you plan to prevent future breaches.
- For breaches that affect 500 or more patients, your practice also must report the breach to the news media. If a breach is particularly large, your practice likely will attract a lot of media attention. Make sure your employees know not to engage members of the press without approval or appropriate messaging. Better yet? The above Government Health IT article strongly recommends retaining a “public relations firm with strong experience in crisis communications and reputation management” to help preserve your practice’s reputation.
Brace yourself—the financial fallout is coming. Ideally, your practice has a reserve of funds for emergencies such as this, but even if that’s the case, you’re probably in for a bumpy ride. Between the costs of investigating the breach, obtaining PR services, and making necessary IT security upgrades—not to mention the potential lawsuits and hefty OCR fines—your practice stands to lose and/or spend a large sum of money in a relatively short amount of time. Moreover, the loss of patient trust could hit your bottom line even harder. Thus, the better (and faster) you handle the two steps outlined under Communicate—and obviously, the better you prevent breaches in the first place—the better off your practice will be financially.
A HIPAA breach is probably your worst nightmare as a healthcare provider. Of course, you want to do everything in your power to ensure your practice never suffers such a breach, but accidents—and hackers—happen. Appropriately investigating, communicating, and budgeting for a HIPAA breach won’t erase the consequences, but it certainly will increase your practice’s chances of survival. Has your clinic suffered—and recovered from—a data breach? Tell us about it in the comments below.