Breach Notification: Lessons Learned

Credit EligibleAs a HealthcareInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The most difficult part of complying with the HITECH breach notification rule is determining whether a breach poses enough of a threat of harm to merit reporting it. That's the conclusion of the privacy officer at one healthcare organization that recently reported a breach.

John Muir Health, a Walnut Creek, Calif.-based two-hospital system, notified federal regulators, the media and nearly 5,500 patients of a breach following a burglary at a perinatal clinic. Thieves took two unencrypted laptops plus a variety of other electronic equipment. So far, law enforcement officials haven't solved the crime, nor have they gotten reports of fraud related to the theft.

Based on its experience with breach notification, Hala Helm, John Muir's chief compliance and privacy officer, advises other healthcare organizations to:

• Be conservative when determining whether an incident involves significant risk to patients,
erring on the side of reporting the breach even if risk seems relatively minimal;
• Hire an outsourcing firm to help speed the mass mailing of alerts to patients;
• Cast a broad net when notifying the media and make executives available for interviews;
• Conduct ongoing training of staff on privacy and security matters; and
• Be sure to encrypt laptop devices.

Assessing harm

Under the breach notification rule, health care organizations must determine whether a particular data security breach presents "significant risk" of harm and thus needs to be reported. This "harm threshold" has proven controversial because it means federal regulators are largely leaving it up to healthcare organizations to determine if they need to give notification of a breach.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Determining the risk posed by a breach incident is extremely challenging, Helm says. But when in doubt, she says, it pays to keep patients well-informed.

"We enjoy a very favorable position in our community. Although we felt that the risk to patients from this incident was very low, and it was not attributable to our negligence, we didn't want to do anything to jeopardize our relationship with our patients. So we took a conservative approach."

The laptops were stolen after business hours from a locked third floor office in a locked building with a security guard on duty and disabled elevators. And the patient information on the devices was within clinical applications "that would take specialized knowledge" to access, Helm says.

As a result of the "harm threshold" provision in the breach notification rule, healthcare organizations must "create a well-defined risk analysis process" to help them determine what breaches to report, says Tom Walsh, president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues. "Now is the time to get that done."

Getting outside help

Once it decided to report the incident, the hospital hired an outsourcer to handle the timely mass mailing to patients, which offered them a year's worth of free ID theft protection to help build goodwill. "We outsource all our mass mailings anyways," Helm notes.

Ben Drew, who handles media relations for John Muir Health, took the lead role in drafting the language in the letters, which was reviewed by attorneys. "You must have a good media relations person draft the press release and the letters," Helm says. "Putting them in a format that's polished and easy for people to understand is key."

Rather than send a press release to one media outlet, John Muir Health sent it to all area newspapers, television stations and even a local business journal. "We tried to cast a net widely enough so that people would hear about it," says Helm, who did several TV interviews.

Withholding details

Although the organization alerted affected patients to the nature of personal information stored on the devices, it did not reveal details to the media. John Muir Health's attorneys told federal regulators they didn't want to publicize the nature of the information because the breach involved an ongoing burglary investigation, and regulators agreed, Helm says.

A cross section of staff members, from IT to marketing to senior executives, was involved in the breach notification planning. At the time of the incident, however, the organization had not yet updated its breach reporting plan, originally designed with California state regulatory requirements in mind, to reflect the new HITECH requirements, Helm acknowledges. It's in the process of beefing up its plan to include more details on such aspects as notifying the media and federal authorities.