Information breaches can throw an office into a panic. Whether it is a fax sent to the wrong number or a lost laptop with hundreds of patient records, practices need to have a solid breach response plan in place to reduce tumult and mitigate potential problems.
“After a breach, everyone is going to run around with their hair on fire,” said Jay Hodes, president of Colington Consulting in Washington, D.C.
Roy Wyman, a partner at Nelson Mullins, based in Columbia, SC, equated not having a breach response plan to a football team showing up Sunday morning and just then building their playbook.
“You have to practice before hand and be ready to go or someone is going to eat your lunch,” he said.
According to Wyman, there are essentially 3 phases to any breach response plan: initial discovery, reaction, and the improvement phase.
One of the most important parts of any discovery after a breach is having a good response team. Long before a breach occurs, a list should be created with pertinent information on anyone who might be part of that group, including:
- chief security officer
- IT manager
- compliance officer
- human resources
- vendors like a public relations or forensics firm
- business associates
- enforcement agencies
Under normal circumstances, a practice may not have all of these resources at hand, but it is good to know who to turn to in case there is a problem.
Anyone pertinent on the team should be called in after a breach, and relevant staff should be interviewed to find out how the breach occurred. The chief privacy officer and legal counsel—and the human resources manager if the leak was internal—should be present during interviews.
Hodes likens the post-breach investigation to “contact tracing” during the Ebola scare. When finding out who was infected, healthcare groups have to go back and see who they came in contact with after infection. The same principles go for breach tracking, the goal of which is to ascertain what information got out and who might have been involved.
This tracing is required when completing an online breach notification for the Department of Health and Human Services. This must be done within 60 days of the end of the calendar year in which the breach took place if it affects fewer than 500 people.
During this discovery phase, it is important to document the progress of the investigation clearly. If a laptop was stolen, for instance, documentation should indicate who discovered the breach, the date and time of the theft, and what protected health information was lost, if that is known. Document all of the information available immediately and then go to the breach response plan and start following its steps.
“Everyone should have a breach response plan that gives a framework, but they need to be prepared to be flexible within that plan,” Wyman said.
One of the legal requirements for a breach is notification of people whose information was affected. After a breach, there is some urgency to let people know, but remember that practices have 60 days to get the word out. For breaches that impact more than 500 people, there is a requirement to send out a release to the local media.
Wyman said all practices – even very small ones – should have a form notification letter prepared that complies with state and HIPAA laws. Before notifying anyone, Hodes recommends contacting an attorney, preferably one who works in the healthcare realm, to help avoid “opening up a Pandora’s Box of legal issues.”
Any time protected health information is breached, there is opportunity for improvement, though this step is the one most often overlooked, Wyman said. After the notifications and investigations are complete, offices should take the time to try and prevent future problems. Hodes recommends conducting a new risk assessment. If the breach was “egregious enough,” a corrective action plan can be created with which office staff should comply.
“You have to understand what you did poorly and ask how you can keep it from happening again,” Wyman said.
When you have figured out why a breach occurred, go through the steps and work to close any gaps that remain in the system. If the issue was with a business associate, maybe the relationship should be ended or the protected health information to which they are privy should be changed. If a practice does not want to cut ties, it can audit the business associate annually to ensure the associate is keeping records safe.