Breach Notification: Step by Step GuideExperts outline HITECH compliance strategies
When preparing to comply with the HITECH Act's Breach Notification rule, the experts also advise healthcare organizations to take other important steps:
- Be sure to understand what constitutes a breach under the rule and what kinds of incidents must be reported.
- Make widespread use of encryption. That's because the rule contains a safe harbor exempting organizations from reporting breaches of encrypted data.
- Work closely with business associates, such as software companies, billing services and banks, to make sure they're prepared to comply with the rule, which requires them to promptly report breaches to covered entities, such as hospitals and clinics.
Under the rule, healthcare organizations must report breaches affecting more than 500 individuals within 60 days to the HHS Office for Civil Rights and the news media in addition to sending letters to all those affected. Smaller breaches must be reported to federal officials annually.
Develop a plan
Healthcare organizations can't afford to put off creating a breach notification plan that spells out who will handle what tasks as well as how the incident will be investigated, says attorney Deven McGraw. She's director of the health privacy project at the Center for Democracy & Technology, a Washington-based civil liberties group.
"Even in the best organizations that pay a lot of attention to data security and are very careful, inevitably things will occur," she stresses. As a result, all hospitals, clinics and other organizations should create a step-by-step notification plan "rather than waiting until a breach happens and then trying to pull together a responsive process on the fly."
A breach notification plan should include four critical elements, says attorney Gerry Hinkley. He's co-chair of the healthcare industry team at Pillsbury, Winthrop Shaw Pittman in San Francisco. Those elements are:
- Technology. "Make sure that there are technological measures to ensure that all of the protected health information in your custody is secure, and to the extent that it is not secure, that you have mechanisms to detect when a breach has occurred."
- Leadership. "Someone needs to show leadership with respect to the policy development and either take responsibility or establish responsibility."
- Legal issues. "Legal counsel should make certain that you are legally compliant and that you have mechanisms in place to take advantage of attorney/client privilege where that is appropriate."
- State issues. "Reconcile the federal requirements with any state requirements that may be different from the federal requirements." Tougher state laws are not pre-empted by the federal rule.
The plan itself, Hinkley says, should include processes for: discovering breaches; determining appropriate mitigation; developing advice for the affected individuals; creating and distributing notices to individuals, the media and regulators; and "creating an accounting process for keeping track of how you carried out the notification."
Know the rule's details
Compliance with the rule requires a thorough understanding of the terms within it, McGraw stresses. And that's far from an easy task.
For, example, the rule's definition of a breach is quite broad, she points out. "It's basically any unauthorized access, use or disclosure of protected health information in a way that compromises the privacy and security of that information, which has been interpreted to mean that the breach actually poses a significant risk of harm to the individual who is the subject of the information."
In other words, she says, a breach is "essentially any time information, even internally, is used in a way that either isn't expressly authorized by the patient or isn't otherwise authorized by law."
But the rule is fuzzy in that it includes a harm threshold, giving healthcare organizations the latitude to determine whether the incident poses a significant enough risk to merit reporting it.
"It really puts the burden on the entities to try to figure out whether a particular breach might be harmful to an individual," McGraw says. Sometimes that's easy, such as when Social Security numbers are accessed. "On the other hand, if you are talking about a health condition, that is a trickier set of circumstances," she says.
The Center for Democracy & Technology is one of many organizations that have called on regulators to greatly clarify the harm threshold provision.
In the meantime, healthcare organizations must "create a well-defined risk analysis process" to help them determine what breaches to report," says Tom Walsh, president of Tom Walsh Consulting LLC, Overland Park, Kan. "Now is the time to get that done."
Because so many of the major breaches reported so far have involved the theft or loss of unencrypted computer devices, especially laptops, many experts stress that encryption should be an essential component of any compliance effort.
"I would be willing to bet that if you ask folks who have recently experienced rather large-scale breaches if they wished they had encrypted the data on those stolen computers, they would say yes, because they are paying a lot to notify patients, much less pay for the damage to their reputation because of the public disclosure of the breach, and they could have saved a lot if they encrypted" McGraw says.
Work with business associates
When it comes to working with business associates, healthcare organizations should take a series of steps to ensure compliance, says Walsh, the security specialist. Among those steps are:
- Update all business associate agreements. Define the term "breach" and what incidents must be reported. Require that the firms to make extensive use of encryption. And add specifics about HIPAA compliance.
- Make sure associates have a system in place for collecting all necessary information about an incident;
- Ask if the firms have insurance that would cover breach-related costs.
- Specify how associates should communicate with the healthcare organization in the event of a breach. "You sure don't want them to send an e-mail," Walsh says. "I would want to have a secure channel and I would want to tell them who to send it to."