• E-mail
• Print
• RSS

Respond to a breach: Quick action can mitigate damage

HIPAA Training Advisor, October 18, 2007

Despite the fact that your facility might do its best to protect patients' PHI, a security breach that is out of your control can occur. However, there are steps you can take to restore patient trust and reduce potential legal liability and regulatory scrutiny if a breach occurs.

Whether you have been the victim of a hacker or a dishonest or careless employee, effective damage control requires quick but thoughtful action, says Reese Hirsch, JD, a partner at Sonnenschein Nath and Rosenthal in San Francisco. Failure to do so may make matters worse, he adds.

Consider four must-have steps

Hirsch says that facilities that experience a breach of security should take the following actions:

• Understand your legal obligations. You must understand your legal obligations according to your specific state's laws, Hirsch says. For example, if a breach has occurred, was there personal information involved, as defined under the applicable state law? Hirsch says there are minor variations in state laws that determine whether a breach has actually occurred. "In California, the trigger for causation is that there must be a reasonable belief that the information acquired was unauthorized, while in Delaware the breach must pose a likelihood of harm," Hirsch says.

• Implement your incidence response plan. Under the HIPAA security rule, covered entities are required to have a security incident response plan, but many facility's plans are not very detailed or fleshed out, says Hirsch. An inadequate plan, or an automatic reaction that results in a failure to follow a plan, can put facilities at a heightened risk considering the extreme sensitivity with which PHI must be handled.

• Work with law enforcement. Certain breaches do not require the involvement of law enforcement agencies, Hirsch says. However, in instances of theft, hackers, or dishonest employees, a facility should contact the relevant law enforcement officials as soon as possible. For example, in the event of laptop theft, you need to notify the local IT task force.

• Notify credit reporting agencies. Facilities that have experienced a breach should alert credit agencies before notifying patients so that the agencies are aware of the breach, Hirsch says.

• Communicate with patients. A breach in security can destroy the trust a facility has with its patients. This relationship can be difficult to restore. Hirsch says the best way to restore this trust is to demonstrate that you did the best you could to avoid the breach and you acted quickly once it was detected. In addition to sending a letter explaining the breach, facilities should consider providing or establishing a toll-free customer service number dedicated to addressing patient concerns. When a serious breach occurs, the facility should offer credit monitoring services, Hirsch adds.

• E-mail to a Colleague
• Print
• RSS
• Archive