In the last 18 months, there have been three massive data breaches involving the healthcare industry, scores of smaller breaches, and a growing trend of insider threats posed by employees who have sold protected health information (PHI) for their own personal gain. Unlike stolen credit card numbers that can be deactivated, the personal identifying information needed to commit identity-theft type crimes, such as name, address, Social Security number, and date of birth, cannot be changed easily, if at all. Because of the permanent nature of the information that they contain, health records are approximately 10 times more valuable than stolen credit card numbers on Internet black markets where they can be bought and sold in bulk.
Now more than ever, because of new threats posed by such cybercriminals, any organization that collects, uses, discloses, or stores PHI is a potential breach victim. Covered Entities and their Business Associates subject to HIPAA who suffer a data breach must act quickly and correctly in assessing the situation. They must thoroughly investigate and mitigate risks caused by the breach, attempt recovery of the lost information, and provide required notifications to affected individuals and others. Throughout this process, organizations experiencing a breach should strive to demonstrate publicly that the data loss is being handled responsibly and appropriately.
Defining a "Breach"
HIPAA defines a breach as the acquisition, access, use, or disclosure of PHI in a manner inconsistent with the Privacy Rule that compromises its security or privacy. In most cases, a breach is presumed to have occurred unless it can be demonstrated that there is a "low probability" that the PHI has been compromised. When performing this initial inquiry, an organization must consider:
1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.
Plan Ahead for Breach Notification
Every Covered Entity and Business Associate that handles PHI should develop its own unique breach response plan, built upon its most recent Security Risk Assessment (SRA), itself a fundamental step in the development of a comprehensive HIPAA security program. This security program should include a complete inventory of all devices containing sensitive data and policies and procedures requiring the immediate reporting of any lost, stolen, or compromised devices or media.
Using the most critical vulnerabilities identified in the SRA as a blueprint, the "worst case" scenario should be used to develop a detailed response plan. This discussion and handling of the "crisis" in a benign environment should be memorialized and refined into a formal breach response plan that identifies clear lines of communication and responsibility, including what gets done, who does it, and when they are supposed to do it.
Merely having a breach response plan on paper is not enough. Individuals who are expected to implement the plan must understand and be equipped to execute their responsibilities.
Whether through a medical practice's in-house counsel or an outside law firm, there are important reasons to integrate counsel into a breach response plan. Privacy counsel with breach response experience can bring valuable insight and steadying presence to an unfamiliar and sometimes chaotic situation. In the event of a follow-up investigation by HHS' Office for Civil Rights (OCR) (which is mandated in breaches affecting 500 or more individuals) or civil litigation, an organization's deliberative processes and internal communications and/or actions involving their counsel regarding breach response may be kept confidential through these doctrines. Without the involvement of counsel, the entirety of an organization's actions and communications would be potentially discoverable in the now familiar class-action lawsuits that inevitably follow data breaches.