Prepare to respond to breaches of privacy
Practical steps your organization can take now to avoid federal scrutiny
While your healthcare organization awaits a breach notification final rule from HHS, there are some practical steps you can take to prepare should you need to notify patients of a privacy breach.
Before an event happens, you should have a plan in place detailing how you will respond to a breach and notify your patients, says David Behinfar, JD, LLM, CHC, CIPP, privacy manager at the University of Florida College of Medicine in Jacksonville.
If you need to notify patients of a breach, there are some important elements of the process you should consider, says Behinfar, who spoke at the three-day Fourth HIPAA Summit West meeting in San Francisco October 5. You won’t find these issues in the final rule, he says, since HHS simply does not formally provide specific guidance on one method of compliance versus another. HHS typically leaves it up to covered entities (CE) to work out the details for themselves, he says.
Remember that, upon discovery of a breach of unsecured PHI, the CE must issue notification to affected persons and possibly to HHS and the media.
Take these steps in advance to prepare:
• Plan for computer forensics. Have a plan in place to address the need for computer forensics, says Behinfar.
If your organization loses possession of an unencrypted laptop computer and you later regain possession of the device, how do you know whether someone accessed the PHI it contained?
If you can obtain results of computer forensics testing before notifying patients of a breach, that is ideal—because you may not need to send the letters at all, Behinfar says. Computer forensics may show that no one actually accessed the information. Your IT personnel may know of a reputable computer forensics lab or person who can perform this service for your organization, he says.
Make sure you know before a breach occurs whom you will call for a forensics examination, Behinfar says.
This is also important because of the time limitations for notifying affected persons, says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD.
Under the federal breach notification rule, a CE must notify affected individuals as soon as reasonably possible, but no later than 60 days from the time it becomes aware of a breach. However, some states impose a time limit of five days or less for notification, Parmigiani notes.
Research and choose a computer forensic firm, and perhaps have an arrangement with one or more companies that can provide a quick turnaround in the case of a suspected breach, he says.
Being able to determine from a forensic analysis whether PHI was accessed by an unauthorized person is an important first step in establishing whether a breach occurred, Parmigiani says. The notification process—sending letters, setting up a call center, putting out a press release—is time-consuming and expensive, he notes.
Forensics should be unnecessary in most cases if CEs are properly encrypting ePHI, shredding paper PHI, and otherwise following the HHS and National Institute of Standards and Technology guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, says Daniel F. Gottlieb, Esq., a partner at McDermott Will & Emery, LLP, in Chicago.
You can find HHS’ interim final rule on Breach Notification for Unsecured Protected Health Information at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf.
For guidance that specifies the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, visit www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.
However, in certain instances, such as a hacking event, forensics may provide analysis that is helpful to the risk assessment required under the HITECH breach notification regulations or your risk assessments to comply with overlapping state breach notification laws, says Gottlieb.
• Contract with a call center. “If you think you can internally handle calls on a breach involving 100,000 patients, more power to you,” Behinfar says. If not, you need to think about contracting with a call center.
As call center services can be expensive, Behinfar recommends that organizations send out a request for proposals and know whom they will use before a privacy breach occurs.
When choosing a call center, know where the center is located—Behinfar advises using a center in the United States. CEs must rely on this company and its employees to handle sensitive information, he says. Companies that are overseas are not subject to U.S. laws and will likely be beyond a CE’s reach if they misappropriate any information they are able to access about patients, thus placing organizations in even more trouble.
Several years ago, a call center employee in India misappropriated PHI from a CE and threatened to release it because the call center failed to pay her, Behinfar says. “It was a mess—and the instructive point was that CEs should relay on U.S.-based call centers,” he says.
Also consider whether the call center has or offers:
- A performance bond
- Privacy breach experience
- More than one location
- Good references
- The ability to handle calls 24/7, including holidays
- Multilingual staff
- A project manager at management level assigned to handle your breach
- An escalation process to address unsatisfied callers
- Customized reporting
- Detailed pricing
- Training for call center employees on your specific breach
- Assistance with script writing
The CE should require the call center to assign one person to be the lead manager for its specific breach who can work with the CE on daily issues, Behinfar says. You want to speak to the same manager who knows the details of your breach.
A proper escalation process will address disgruntled callers who are unsatisfied with the response they receive. The call center should have a process to transfer an unsatisfied caller to a higher-level management professional who can hopefully satisfy the caller’s needs, Behinfar says. The final step in the escalation process is referral to the healthcare organization’s privacy officer.
You should line up a call center contractor in advance that you can quickly employ, especially in breach situations affecting a large number of individuals, such as 500 or more, says Parmigiani.
You may be able to handle breaches affecting a smaller numbers of people in-house, but consider whether your organization can quickly marshal the requisite skills and resources to respond in the limited time requirements, he says.
Gottlieb says that when an organization sends a breach notification letter to a large number of affected individuals, it should engage an experienced call center to handle calls. Call center operators should be trained to respond to anticipated questions.
The organization should require the call center to staff the line with extra operators for the first few days after individuals receive the letters because there will be higher call volume on those days, Gottlieb says.
• Prepare for printing and mailing the breach notice. It is not an easy task to print 100,000 letters, Behinfar says.
You need to think about the details of how you would complete a massive mailing. Will you personalize each letter or simply have a “Dear patient” introduction? Who will put together the list of patients and perform the mail merge?
You also need to determine whether your organization will handle the mailing directly or contract out the process in whole or in part, Behinfar says.
If you think you can complete the mailing using inhouse resources, ask your mailing center what its capabilities and advance notice requirements are. Can it handle breach notices at the same time that patient statements are scheduled to go out? Once again, you are going to be under tight time constraints to send out the notices.
Tips: Use quality bond paper for the notification letters. Otherwise, your letter may look like a phony, Behinfar says. Also consider using a mailing service that can check addresses to minimize the amount of returned mail, suggests Gottlieb.
• Know your plan for creating a press release. Federal breach notification requirements mandate that CEs notify the HHS secretary and prominent media outlets serving a state or jurisdiction when breaches affect 500 or more individuals.
Make sure you quickly involve your PR department so you can coordinate the timing of mailing the breach notice with the issuing of a press release, Behinfar advises. If you don’t have an internal PR department, decide how you will proceed with any media relations, he says.
There are two schools of thought on this issue. The press release is best handled in-house, Parmigiani says, either by an organization’s PR department or its legal/risk management personnel. Construct your press release in an empathetic way that best communicates with your patients, he says.
“While this could be contracted out, I believe that something may be lost in the delivery of the message,” Parmigiani says.
On the other hand, Gottlieb believes the job is best handled by PR professionals who can craft a press release. Unlike other press releases, the goal is not to generate lots of publicity, but rather to demonstrate that your organization is handling the incident carefully, he explains.
• Be prepared when you file a police report. Whether you file a police report depends on the nature of the breach, says Parmigiani. For instance, was physical equipment taken from your organization or was there unlawful entry to your facilities?
If you fill out a police report, be aware that you could be tipping your hand to the media, says Behinfar. So be prepared, as this may force your hand in sending out a press release. A police report can accelerate the course of events and force you to complete your breach response plan in a very tight time frame, he says.
Parmigiani agrees a police report can often trigger a media response. You may find your organization in the spotlight for “late-breaking news,” and this can force you to hastily prepare and deliver a press release, he says.
Gottlieb says his law firm generally recommends filing a police report. This demonstrates that the organization is taking the security breach seriously, and it also may be necessary for any insurance claims. If an individual is a victim of identity theft, he or she should also consider filing a police report, he says.
• Identify vendors of identity theft insurance and credit monitoring. Will you offer recipients of a breach notice the option of identity theft insurance or credit monitoring? If so, you should have a vendor or vendors lined up in advance, Behinfar says. Your letters should provide recipients with instructions on obtaining this protection.
There are several vendors in the market, and there can be a significant difference between vendors, says Behinfar. Also consider the implications of offering this service to your patients. If another breach occurs, will you have to do this every time? Who will make this decision?
Some of these questions may be academic, as CEs may find requirements built into new proposed federal breach reporting laws, Behinfar says.
Organizations also need to think carefully about the value of credit monitoring services, he adds.
In March 2010, LifeLock®, Inc., an Arizona-based company, agreed to pay $11 million to the Federal Trade Commission (FTC) and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identify theft protection services.
“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” FTC chair Jon Leibowitz said in a press release. You can read more about the settlement on the FTC website at www.ftc.gov/opa/2010/03/lifelock.shtm.
• Consider the value of these services. Are you simply paying someone to place fraud alerts on accounts, which any individual should be able to do themselves? Behinfar asks.
Carefully consider what you will offer. “In my opinion, identify theft insurance is both overrated and ineffectual, usually containing conditions and disclaimers that limit liability coverage,” says Parmigiani.
On the other hand, Parmigiani says credit monitoring coverage by the three major credit bureaus is a fairly standard practice. Organizations typically offer monitoring services for one year, he says.
The service is appreciated by victims, giving them one less thing to worry about, and is a good example of concern and due diligence on the part of the organization whose data were breached, he says.
Gottlieb says he generally recommends offering credit monitoring if the breach involves Social Security numbers or financial account information, putting patients at risk of financial identify theft. “The credit monitoring mitigates an individual’s risk of financial identity theft and demonstrates that the organization is empathetic to the concerns of affected individuals,” he says. In addition, when lawsuits are filed against organizations experiencing breaches, they often claim unreimbursed credit monitoring expenses as damages, he says.
So don’t wait for a breach to occur. Establish a process for effective and timely breach response, says Parmigiani. Identify the necessary resources, whether in-house or external, and be sure they are on alert or under contract. Test your process periodically to ensure both regulatory compliance and operational functionality, he says.
Organizations Parmigiani knows are taking the breach notification requirements seriously. They are aware of the tremendous downside from neglect in this area—consequences such as an investigation by OCR, civil monetary penalties, and bad publicity.