Five Breach Notification Planning Tips
Executives at two healthcare organizations that have gone through the notification process have plenty of lessons to share about complying with the HITECH Breach Notification Rule. Following are five important lessons that everyone should keep in mind:
LESSON ONE: Be conservative when determining whether an incident involves significant risk to patients, erring on the side of reporting the breach even if risk seems relatively minimal.
Transparency will pay off over the long haul. After all, no one can afford to lose customers.
That's the advice from Hala Helm, chief compliance and privacy officer, at John Muir Health. The Walnut Creek, Calif.-based two-hospital system, notified federal regulators, the media and nearly 5,500 patients of a breach following a burglary at a perinatal clinic.
"We enjoy a very favorable position in our community," Helm says. "Although we felt that the risk to patients from this incident was very low, and it was not attributable to our negligence, we didn't want to do anything to jeopardize our relationship with our patients. So we took a conservative approach."
The bottom line? When in doubt, report the breach.
LESSON TWO: In preparing a breach notification plan, be sure to prepare a pre-selected list of vendors that can help with various tasks.
BlueCross BlueShield of Tennessee had a breach notification plan in place long before the HITECH Breach Notification Rule was issued last September. But the plan, which had been updated for HITECH compliance, lacked one critical element: A list of pre-selected vendors that could lend a hand with specific tasks, such as mailing notification letters to enrollees.
So when the insurer scrambled to deal with the aftermath of a breach affecting 1 million, it had its hands full.
"I wish we had researched vendors we needed beforehand," says Tena Roberson, deputy general counsel and chief privacy officer. "I wish we didn't have to rush to find credit line attorneys, security review specialists and other assistance that we needed."
Doing that work upfront can save precious time in the intense days following an incident.
LESSON THREE: Train customer service representatives to deal with breach-related questions from the public.
The Tennessee insurer says it was well-served by its strategy of setting up an e-mail address and a toll-free number for consumers to reach customer service staff members who were "steeped in the details" of the breach incident, says Roy Vaughn, director of corporate communications.
Obviously, you don't want to steer your customers to a toll-free number staffed by ill-prepared staff members. That will do more harm than good.
LESSON FOUR: Be prepared to communicate frequent updates on breach investigations through the media and a Web site. Both John Muir and the Tennessee insurer took this approach.
Rather than send a press release to one media outlet, John Muir Health sent it to all area newspapers, television stations and even a local business journal. "We tried to cast a net widely enough so that people would hear about it," says Helm, who did several TV interviews.
And the insurer posted frequent updates on its site offering in-depth details on the status of its massive, multi-month investigation.
This kind of transparency will pay off over the long haul. After all, no one can afford to lose customers in the competitive healthcare marketplace.
LESSON FIVE: Conduct a "fire drill" for a breach incident to run through how to conduct a rapid risk assessment to measure the potential harm involved and figure out how to determine what information is stored on a particular device, Helm says.
Clearly, a rehearsal can help any organization test its procedures and become better prepared to handle an incident.