Home

  • Home
    • » e-Newsletters

Revisit your facility’s incident response plan: Minimize costs and ensure compliance

HIPAA Training Advisor, September 20, 2007

The HIPAA security rule requires your facility to have an incident response plan in place. Many covered entities see their obligation fulfilled in the form of a thick notebook that they revisit once per year.

However, there's a lot more than security rule compliance at stake when preparing for incidents, says Reece Hirsch, JD, of Sonnenschein Nath & Rosenthal, LLP, in San Francisco.

You also need to be administratively prepared to address the requirements of state security breach notification laws. And beyond state and federal legal requirements, you also have to worry about the potential losses from an incident, says John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD.

Parmigiani helped formulate the HIPAA security rule. In particular, an incident means that your organization will suffer both direct losses, such as the need to replace stolen hardware, and indirect losses, such as the loss of market share to a competing local hospital resulting from the public relations nightmare from critical media coverage and the loss of consumer confidence.

In addition, the costs of investigating and responding to an incident can be astronomical. Consider the costs of the following:

  • State fines/penalties
  • Legal fees
  • Notification letters
  • Call centers
  • Credit monitoring
Minimize the effect of incidents and ensure compliance by having a robust incident response plan in place and testing and updating it regularly. "In a hospital, if someone slips on a wet spot and falls, they know what to do-write it up, etc.," Parmigiani says. "[The facility] needs to be similarly prepared for incidents."

Create a response team

Most covered entities have an incident response plan in place pursuant to the security rule requirement. However, this plan is often not robust enough to handle real incidents, Hirsch says. To ensure rapid response, your plan should create an incident response team that knows how to coordinate a prompt and thorough incident response and communicate details of the incident with employees and external groups.

Include members from the following departments in your team (see "Handle incident response in the office setting" below for information about incident response in smaller organizations):

  • Legal
  • Compliance
  • IT
  • Public relations
  • HR
  • Investor relations (if a publicly owned company)
  • Privacy/security
  • Executive sponsorship
Although you don't need to make your executive arm aware of every minor incident that occurs, be sure to brief them when necessary, as the media will likely contact them for comment. Indeed, one of the purposes of the incident response team is to coordinate a response to the crisis for the public.

Parmigiani points to a recent incident at the University of Pittsburgh Medical Center, in which a physician's PowerPoint presentation containing PHI accidentally appeared on a publicly accessible Web site.

The media contacted several different departments (e.g., security, privacy, compliance, executive) for -information.

The lesson: Present a united response to the incident by channeling media questions to a designated team member.

The incident response team should also be responsible for the following two functions:

  1. Compliance with state security breach notification laws. After a lawyer has sorted out the effect of HIPAA and other relevant state and federal laws (see "Know when to bring in a lawyer" below), your facility might have to notify victims of the incident pursuant to state notification laws.

    This can be a monumental task; the larger the organization, the more work it should complete in advance of an incident. For example, larger facilities should already have contracts in place to set up call centers and write/mail notification letters.

  2. Notification of other relevant entities. Although state/federal law might not require covered entities to notify everyone of an incident, healthcare organizations need to think about other parties they'll need to inform, Hirsch says.

    For example, a payer handling a security incident that affects beneficiary PHI should consider notifying the insurance commissioner.

Know where your information is

Despite your best efforts to create and empower an incident response team, the group will probably be ineffective without the ability to assess the effect of an incident.

To do this, you must be able to provide information regarding where sensitive data are located on your network, both within and outside of your organization-such as with business associates-and who has access to it. Don't forget to account for data backups as part of this process, Hirsch says. (Consider the well-publicized Providence Health System data breach that occurred after thieves stole a van containing data backup tapes.)

"Covered entities should assess their systems and know how they maintain PHI," Hirsch says. "The more they do this, the more they'll be able to avoid problems."

Parmigiani suggests cataloging the following information concerning your data:

  • Classification/sensitivity
  • Location
  • Authorized user IDs and access privileges
  • Hardware inventory
  • Software inventory
In addition to having this information available to the incident response team, you need to ensure that news of an incident reaches team members quickly. Raise employee awareness about what an incident is, and ensure that the work force knows how to properly report one, as the information should preferably go to a single source in the organization, Parmigiani says. Don't forget that, although many discussions of security incidents focus on data confidentiality, threats to the integrity or availability of data (e.g., data tampering or denial-of-service attacks) are incidents too.

Know when to bring in a lawyer

When dealing with incident response, there are plenty of gray areas. For example, many state security breach notification laws include exceptions to notification for data that are encrypted. And many privacy- and security-related laws include a "reasonable risk of harm" standard with regard to incident response that can be hard for laypeople to understand. Knowing these and other caveats requires the expertise of legal counsel.

No matter how small the incident, you should seek the input of a lawyer to determine the applicable laws and your facility's obligations, recommends Reece Hirsch, JD, attorney at Sonnenschein Nath & Rosenthal, LLP, in San Francisco.

Handle incident response in the office setting

A physician's office doesn't typically have an IT department, public relations arm, or fully staffed compliance department. More likely, one or two office-staff members fulfill several of these roles, or the office contracts for external support. So who should be on the incident response team in smaller organizations?

Remember that the security rule is scalable, says John Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD. So don't think you can avoid incident preparation just because your organization is smaller. However, your incident response team might include only a few people who perform multiple functions for the practice.

For example, you should include the:

  • Office manager
  • IT staff (even if an outsourced business associate function)
  • Legal support
Your incident response team should comprise the people who fulfill the necessary roles, regardless of how many staff members that means. In a smaller organization, a single person covers a multitude of functions, often with help from external sources, Parmigiani says.

Most Popular