In addition to notifying HHS of a HIPAA privacy breach, healthcare providers also must take steps to mitigate damage done and prevent breach recurrences.
Everyone knows by now that the security of health information is a major concern of patients, providers, and government agencies. In the past six years, the Department of Health and Human Services has received more than 14,000 reports of significant breaches—those affecting 500 or more individuals—and a dozen or more continue to arrive every month. As required by HIPAA, covered entities and their business associates must report breaches of protected health information (PHI).
Healthcare attorney Martha Ann Knutson recently summarized the breach reporting process and the lessons she has learned from years of dealing with the issue. Most HIPAA breaches need to be reported to the affected individuals, to HHS’s Office of Civil Rights (OCR), and perhaps to a state agency depending on state law, says Knutson.
Breaches affecting 500 or more individuals are posted on the OCR website after reporting and initial processing by OCR. In some cases, a breach may also need to be posted on the healthcare provider’s website and/or published via print or broadcast media. Breaches involving fewer than 500 individuals are reported to OCR by the end of February each year in an annual report, but the agency does not make them publicly available unless they form the basis of a settlement.
Irrespective of the notification requirements, providers must take steps to mitigate damage done and prevent breach recurrences. Mitigation can involve such actions as offering credit reporting services and auditing of patients’ accounts for signs of identity theft. Prevention could include improved physical access controls, additional technical safeguards such as encryption, or increased oversight activities.
See related tool: Pick Your HIPAA Safeguards
Knutson, a hospital attorney now in private practice in California, says she has gleaned eight critical lessons from dealing with HIPAA breach issues.
Don’t offer excuses. Pleading “it was a crime” does not relieve healthcare providers of their responsibilities. “The government’s viewpoint is that you know PHI is a target for thievery, and your risk management plan needs to deal with that risk,” Knutson says. “Criminal activity on someone else’s part does not relieve you of your responsibilities.”
Confirm your actions. Be ready to provide assurances to OCR that remedial action has been taken. “For example, be ready to send them copies or details of your revised policies, new audit plan, new encryption software, etc.,” Knutson says.
Be aware of reporting errors. On rare occasions an incident might be reported and then be found not to have been a reportable breach in the first place. For example, a laptop may be reported stolen but later it is determined that it had been sufficiently encrypted so its loss didn’t create a “breach.” “This doesn’t happen often, but OCR sometimes acknowledges that a report was made in error and that the incident was not a breach,” Knutson says.
Issue timely and thorough notifications. It’s never too late to notify. “Even if the breach was years ago or when an original notice was insufficient, OCR will make you perfect it as part of your follow-up. An imperfect notification is not sufficient,” says Knutson.
Keep track of vendor agreements.Retain your old business associate agreements. “If there was a breach by a business associate prior to Sept. 23, 2013, OCR is simply asking the covered entity to show that there was an adequate business associate agreement in place,” says Knutson. Today, however, both the business associate and the covered entity may be held liable for a breach and involved in mitigation and prevention efforts.
Anticipate OCR’s requests. Anticipate what OCR might require and either do it yourself or have your business associate do it as soon as possible, Knutson says. “You do not want a final report to say corrective action was taken only at the suggestion of the OCR or have a narrowly focused investigation turn into a full-blown compliance review.”
Take corrective action. When employee error was involved, Knutson says the OCR is looking for corrective action proportional to the offense. “This means counseling or other sanctions up to and including possible termination. Retraining of those in similar positions will be necessary, as will cooperation with law enforcement if there was criminal activity,” Knutson says.
Anticipate quick turnaround. It is possible to make it through the entire breach reporting and remediation process in just a few months. “If you’re proactive and bring the organization into compliance before OCR’s investigation, you will find that the process isn’t as onerous as you might fear,” says Knutson.
Although HIPAA breaches can be alarming events, following OCR’s requirements, taking a proactive reporting approach, and developing solutions to avoid breaches in the future can bring your organization back into compliance.
J. Stuart Showalter, JD, MFS, is a contributing editor for HFMA.
Interviewed for this article: Martha Ann Knutson is attorney and counselor at law, San Diego, Calif.
Forum members: What do you think? Please share your thoughts in the comments section below.
- How does your organization handle possible HIPAA breaches?
- Have you dealt with the breach notification requirements in the past, and do you have any lessons learned to share with others?
- Are your HIPAA policies up to date and enforced?