Carl Cadregari, executive vice president at The Bonadio Group, a Rochester, N.Y., consulting firm, said health providers should do 3 things if they suspect that patient information has been breached: Stop and take a breath, don’t panic … and call an attorney.
In recent years, there have been widespread media reports of large breaches – millions of records compromised, followed by millions of dollars in fines. It is wise to seek counsel after a breach, but practice must take steps in-house to rectify the situation.
Identify a breach
Prior to 2013, breaches of information only needed to be reported to the Office for Civil Rights (OCR) if it was reasonable to suspect that harm had been caused to the individuals whose information was released. The Omnibus rule, however, changed that. Now, all breaches must be reported, even if no harm could be caused.
Not all release of information has to be reported, however. Mike Semel, CEO and founder of Semel Consulting in Las Vegas, said many physicians don’t understand the difference between a breach and a disclosure. If information is “out in the wild” where anyone can see it, it is a reportable breach. A disclosure, on the other hand, could be data sent to a business associate that they didn’t necessarily need to have. That might not need to be reported.
Providers should also establish whether the health information that was released was protected. To be considered protected health information, the information has to include an identifier and a treatment or payment. If a list of patient names with no other information is released, that may not be a breach. But it would be a breach if a patient’s prescription is released and it provides an identifier and a treatment.
Cadregari said there is another caveat that may allow physicians not to report a breach: encryption. If information released was encrypted, and a provider can prove it was encrypted at a secure level when it was lost or stolen, it may not be need to be reported under HIPAA.
One step a provider has to take if information has been breached is a risk assessment. This is performed to find out what records were breached, where they went, if the information was accessed by another party, and who might have been harmed.
A good place to look for guidance for this step is the American Health Information Management Association. The organization provides a breach checklist that offers a full range of mitigation and notification steps to take should a breach occur.
HIPAA requires notifications be sent after a breach occurs, but the requirements vary based on the information released. Within 60 days of when a provider knows a breach has occurred, providers have to notify the individuals whose records were compromised. They must describe the information released, tell people how to protect themselves, and what is being done to investigate the breach and mitigate future occurrences.
If there are fewer than 500 records breached, the breach has to be reported to OCR within 60 days of the end of the calendar year. If there are more than 500 records, notification has to be sent to OCR within 60 days of when the breach was discovered.
Semel recommends being as honest as possible with patients after a breach. Tell patients what you know about the breach and then apologize.
“Apologies go a long way when people make mistakes,” he said.
Even though physicians can take a couple of months to begin notifications, Semel tells clients to start immediately because they may forget later and it makes a strong statement to OCR if the provider notifies them before a patient complaint is filed. In addition, some states have shorter time frames, so reporting immediately will cover all the bases.
The major fear of most providers following a breach is being fined by OCR. This is an understandable trepidation. Providers can be forced to pay penalties ranging from $100 to $50,000 per violation, depending upon the extent of the problem.
But a bigger problem than fines is the investigation that can occur. Each breach will bring an audit from OCR or another entity and that can open Pandora’s Box. One of the most infamous of these occurred at a cardiac surgery group in Arizona in 2012. It was reported to OCR that the internet-based calendar with patient appointments was available online to the public. After the report was received, OCR audited the group and found that patients’ electronic health information had not been protected. The group had to pay $100,000 and implement corrective action.
Aside from fines, Semel said, breaches can cost an organization upwards of $200 per record due to credit reporting, legal assistance, and patient notification. Providers can purchase cyber liability insurance—which he recommends—to mitigate some of these costs. But insurance is not a substitute for following good security practices and investing in IT security solutions.
“If you have car insurance and get drunk and drive by a ‘road closed’ sign, and then have an accident, it doesn’t matter if you have insurance,” he said.