In previous installments, we have discussed two critical components of handling a breach of protected health information ("PHI") under HIPAA: assessment of probability that PHI has been compromised, and the rules regarding notification to data subjects, regulators, and media. Next, we take a look at some of the lessons we have learned over the years drawing upon experience with both HIPAA and working with regulators, like the Office of Civil Rights or state attorneys general. In sum, staying organized and documenting your work both before and after the breach can be incredibly helpful. As we have stated many a time in our blogs on data governance: Have a Story to Tell.
1. Have a Plan to Anticipate a Breach and Document that Plan
The HIPAA Security Rule requires Covered Entities and Business Associates to implement policies and procedures to address security incidents (45 C.F.R. 164.308(a)(6)(i)). But merely stating you have a plan or informally discussing a plan with colleagues and employees is insufficient. Indeed, regulators may ask for evidence that you have complied with your own security incident procedures. Therefore, Covered Entities and Business Associates should document a security incident response plan that considers the following issues:
Who is on your Incident Response Team ("IRT")?
How is the IRT activated and what are the members' functions?
How is a "security incident" defined?
How are incidents documented and reported internally to the IRT?
To whom should incidents be reported externally?
What are reasonable and appropriate responses to different types of incidents?
2. Have a Plan to Report a Breach, Document that Plan and Test that Plan.
So you have a plan for when a breach happens, but do you have a plan for how you will report a breach? More importantly, do you have a process by which to determine if you even have to provide notice? (This is no small question, and not only can have huge compliance and legal implications, but also extensive operational and budgetary impacts.) The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to implement policies and procedures to address the timely reporting of breaches (45 C.F.R. 164.414(a)). Having and documenting a plan is important to both ensure compliance with the notification requirements outlined in our previous post and in showing a regulator or investigator that your organization has worked to comply with HIPAA if the regulator asks for any evidence of a well-documented plan. A breach notification plan should consider the following questions:
To whom should employees report security incidents?
Who is responsible for completing a risk assessment to determine if the incident is a "breach" as defined under HIPAA?
Who is responsible for completing a risk assessment to determine if the incident is a "breach" under one or more state laws?
If you have a breach, who is responsible for determining if it must be reported externally?
Who is ultimately responsible for ensuring that timely notifications are submitted?
How will the IRT coordinate the multidisciplinary response needed (legal, external messaging, operational management and security)?
How will this process run? With a plan in place, have you tested your plan with table top exercises or other scenarios based practice opportunities?
3. Keep Track of All Investigations and Analyses and Document Thoroughly
The Security Rule requires Covered Entities and Business Associates to document security incidents and their outcomes (45 C.F.R. 164.308(a)(6)(ii)). Covered Entities and Business Associates should consider maintaining detailed documentation of any security incident (whether it amounts to a serious compromise or not) that includes the following:
Detailed descriptions of all internal investigations into the security incident
Risk assessments and submission of notifications pursuant to Breach Notification Rule
An analysis of the root causes of the incident
Any and all actions taken to mitigate harm to affected individuals
Corrective action measures taken. If corrective actions were not taken, document the rationale for not taking them.
Methods by which corrective action measures have been implemented
4. Help Regulators Help You
An investigation or audit can be unnerving at first. But do not treat a regulator like it’s the bad guy. Generally speaking, the more you cooperate with an investigative body and show that you are being forthright and transparent (i.e. You HAVE a story), the smoother the process will go. Maintaining thorough and detailed records helps you communicate to a regulator that you have taken all steps required under HIPAA and also provide you a roadmap to making the ongoing improvements necessary to fortify your enterprise against the occurrence against future incidents. Without question, involving legal counsel early and a member of the Incident Response Team will go a long way to smoothly moving through the data breach response process.
A security incident or breach relating to PHI can feel overwhelming. But with proper planning, documentation, and organization, a Covered Entity or Business Associate can navigate HIPAA's requirements effectively. Investigators and auditors are looking to see that Covered Entities and Business Associates have done their homework; proper documentation shows that work. When in doubt, consulting with an attorney can also be valuable when complying with HIPAA. Faruki Ireland and Cox attorneys have experience working with data breaches and compliance under HIPAA. We can help you with HIPAA compliance before, during, and even after a security incident.