Five Steps to Prepare for Telehealth Data Breach Litigation

Carlton Fields

Carlton Fields

As we’ve previously reported, COVID-19 has caused a surge in telehealth and has temporarily reduced the HIPAA Security Rule requirements placed on telehealth service providers. These relaxed Security Rule requirements, while helpful for providers scrambling to provide urgent care and patients needing such care, increase the risk of cybersecurity breaches. When the breaches happen, litigation is sure to follow, so here are five tips to position yourself for a more favorable litigation outcome.

  1. Avoid the Breach

Breaches always have costs, not the least of which include reputational costs and lost business. Don’t let the temporary relaxing of HIPAA Security Rules lull you into settling for second-rate technology vendors. Even if you comply with HHS’ current relaxed requirements, state laws can still be more stringent and patients may still sue you if their information is compromised. Accordingly, use a HIPAA-compliant telehealth service provider who agrees to sign a business associate agreement. For additional guidance on particular cybersecurity steps to follow, see here.

  1. Monitor and Prepare for the Breach

The longer a breach goes undetected, the greater the costs of cleaning it up. Make sure you have a process in place to monitor access to patients’ PHI. Monitoring is particularly important in the health care context, where breaches resulting from intentional bad actors are more common. Beyond that, know what to do if a breach occurs by having an incident response plan in place. According to the Ponemon Institute, companies that have and extensively test their incident response plans save more than $1 million in costs after a breach.

  1. Make a Paper Trail

Document your privacy and cybersecurity efforts, including facts and data sufficient to support the decisions. This should include a description of any reasonable equivalent alternative measures undertaken. Periodically review your documentation and update as needed in response to changes to your environment or operations. Maintain records of all risk assessments and of investigations into any prior security incidents. Consider the involvement of counsel so that any documentation, not otherwise required under HIPAA, may be protected by the attorney-client privilege.

  1. Be Mindful of Your Representations

When it comes to privacy and cybersecurity, as with anything else, know what you are promising and follow through on it, or you could face claims ranging from negligent misrepresentation to breach of contract or fraud. Always inform patients of the risks and get their consent to proceed.

  1. Involve Subject Matter Experts 

If you have cyber insurance, notify your broker or carrier so that you can seek to maximize coverage and obtain the benefits of any preferred vendor lists maintained by the carrier. Those vendors could include forensic and incident response firms. Before working with those firms, obtain your carrier’s approval and have your outside counsel retain the forensic firm so as to protect their work under the privilege.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields | Attorney Advertising

Written by:

Carlton Fields

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.