As we’ve previously reported, COVID-19 has caused a surge in telehealth and has temporarily reduced the HIPAA Security Rule requirements placed on telehealth service providers. These relaxed Security Rule requirements, while helpful for providers scrambling to provide urgent care and patients needing such care, increase the risk of cybersecurity breaches. When the breaches happen, litigation is sure to follow, so here are five tips to position yourself for a more favorable litigation outcome.
- Avoid the Breach
Breaches always have costs, not the least of which include reputational costs and lost business. Don’t let the temporary relaxing of HIPAA Security Rules lull you into settling for second-rate technology vendors. Even if you comply with HHS’ current relaxed requirements, state laws can still be more stringent and patients may still sue you if their information is compromised. Accordingly, use a HIPAA-compliant telehealth service provider who agrees to sign a business associate agreement. For additional guidance on particular cybersecurity steps to follow, see here.
- Monitor and Prepare for the Breach
The longer a breach goes undetected, the greater the costs of cleaning it up. Make sure you have a process in place to monitor access to patients’ PHI. Monitoring is particularly important in the health care context, where breaches resulting from intentional bad actors are more common. Beyond that, know what to do if a breach occurs by having an incident response plan in place. According to the Ponemon Institute, companies that have and extensively test their incident response plans save more than $1 million in costs after a breach.
- Make a Paper Trail
Document your privacy and cybersecurity efforts, including facts and data sufficient to support the decisions. This should include a description of any reasonable equivalent alternative measures undertaken. Periodically review your documentation and update as needed in response to changes to your environment or operations. Maintain records of all risk assessments and of investigations into any prior security incidents. Consider the involvement of counsel so that any documentation, not otherwise required under HIPAA, may be protected by the attorney-client privilege.
- Be Mindful of Your Representations
When it comes to privacy and cybersecurity, as with anything else, know what you are promising and follow through on it, or you could face claims ranging from negligent misrepresentation to breach of contract or fraud. Always inform patients of the risks and get their consent to proceed.
- Involve Subject Matter Experts
If you have cyber insurance, notify your broker or carrier so that you can seek to maximize coverage and obtain the benefits of any preferred vendor lists maintained by the carrier. Those vendors could include forensic and incident response firms. Before working with those firms, obtain your carrier’s approval and have your outside counsel retain the forensic firm so as to protect their work under the privilege.