In May, the Department of Health and Human Service’s Office for Civil Rights (OCR) reached a settlement with Touchstone Medical Imaging, based in Franklin, Tennessee, in a case that highlights the importance of responding promptly and effectively to potential breaches of protected health information (PHI).
Touchstone must pay a $3 million fine and adopt a corrective action plan because, according to OCR, it neglected to do anything after both OCR and the Federal Bureau of Investigation notified them that a breach had occurred. Touchstone’s servers allowed search engines to expose more than 300,000 patients’ PHI.
The organization said no information was breached, but, according to OCR, this was not the case. OCR said it determined Touchstone did not look into the incident until months after the organization was notified of it, nor did it contact patients in a timely manner. And when investigating, OCR found other issues: Touchstone did not have a thorough risk analysis or business associate agreements in place with vendors.
How an organization reacts to breaches may differ depending on the size of the practice and amount and kind of data compromised. Regardless of the breach’s scope, though, a quick efficient response can sometimes mean the difference between OCR pursuing a settlement or closing the case.
Preparing for a breach
Most organizations do not plan for breaches before they occur. It is usually not until after a laptop is stolen or someone clicks on a phishing email that organizations even think about breach response.
Developing an incident response plan is not only part of HIPAA rules, it is an organizational best practice, said Abby Bonjean, an associate at Polsinelli LLP, a law firm that handles HIPAA breach cases. Practices need to create policies and procedures for dealing with breach responses and identifying people who are part of the response team. The policies should map out steps so members of the team know where they would report an incident and how that information will be passed along to ensure important parties know the details.
“If there is a phishing attack and an employee clicks on a link that gives someone access to the employee’s account, you need to make sure they know who to notify within the organization,” Bonjean said.
She also recommends that practices conduct tabletop simulations of breach incidents to ensure staff know how to respond.
Practices hire Polsinelli to help resolve breaches of all sizes, Bonjean said, but that does not mean providers always need to outsource their response.
“HIPAA is designed to be scalable,” said Kim Stanger, a partner at Holland & Hart LLP. “It was never intended to force people to hire consultants at $20,000 a whack.”
For instance, if PHI is stolen and the information was encrypted according to HIPAA security rules, it does not have to be reported, Stanger said.
Bonjean said a practice’s compliance officer can also do an in-house breach risk assessment if the breach was very small and the information was not highly sensitive. If there is a low probability that any information was compromised, it does not have to be reported to OCR, she said.
For instance, if PHI is faxed to the wrong recipients, the compliance officer can talk with the people who did it to ensure they understand how not to do so again. Then the officer can contact the individual who received the information to make sure he or she is not going to tell anyone. Practices can send letters to recipients who mistakenly receive somebody else’s PHI cautioning about HIPAA penalties associated with releasing PHI, Stanger said.
“It helps document what you’ve done, and you look better with OCR and the individuals who were breached,” Stanger said. “Showing you have taken these appropriate steps will go a long way to mitigating your risk.”
Current HIPAA rules say breaches of unsecured PHI impacting fewer than 500 patients need to be reported to OCR within 60 days of the end of the calendar year in which it was discovered. If more than 500 patients’ records were breached, OCR must be notified within 60 days of the date of discovery of the breach. HIPAA also requires that providers report a breach of information to the individuals whose records were compromised within 60 days of the time the breach was discovered.
With larger breaches, particularly electronic ones, the stakes and penalties can increase dramatically and rapidly. Stanger said groups will likely need to bring in outside consultants. These organizations can do forensic work to track how the breaches started and what information has been released. Among the most important tasks following a large breach is to correct the situation immediately, Stanger said.
“If you correct it in 30 days and you didn’t act with willful neglect, you can usually [avoid] HIPAA penalties,” he said. “But if you fail to do a required breach report because you don’t want adverse publicity, you are going to be subject to mandatory penalties.”
Stanger said he has always been able to resolve breaches without penalties if the clients have documented corrective action and performed a breach report.
While taking corrective action and containing a breach incident, Bonjean said, it would be wise to secure other areas as well. A breach impacting 500 or more individuals automatically triggers an OCR investigation. When OCR looks into a compliance program, providers frequently get caught without required security measures such as risk analyses or business associate agreements.