Accidents happen, no matter how careful you try to be. That’s why a safe driver can find themselves in a fender bender and a “cyber-secured” healthcare practice can fall victim to a data breach. Without complete control over everything and everyone, there’s a risk we take just by connecting to the internet or getting behind the wheel. But while the 89% of providers who’ve experienced a cyberattack (and vast-majority of Florida drivers) have proven that you can’t always put the breaks on unpredictability – having an incident response plan in place helps to reduce the impact should an incident occur. So just as you wouldn’t flee the scene to turn a minor rear-end into a major hit and run, meeting HIPAA’s reporting requirements are key in preventing a minor breach from having major implications on your organization.
Now whether you’re amongst last year’s 71% increase in healthcare data breaches, or just looking to take your breach response plan for a test drive, steering your practice in the right direction starts with understanding your responsibilities under the HIPAA Breach Notification Rule. So with the 2021 breach reporting deadline just around the corner on March 1st, let’s take a look at the roadmap for best avoiding a violation resulting from a breach.
Assessing the Breach
Anything from an accidental mass email to a targeted ransomware attack can trigger a potential data breach. But the same way backing into a curb doesn’t necessarily warrant a police report, not every disclosure of protected health information (PHI) qualifies as a reportable breach. According to the Department of Health and Human Services (HHS), an impermissible use or disclosure of PHI is presumed to be a breach unless the organization can determine that there is a low risk of the patient information being compromised. Properly assessing the scope of the situation helps in figuring out what type of data was exposed, who exactly was impacted, and how you should best handle the next steps. Determining the risk level can be done with the help of our related article: What to Assess in a Possible HIPAA Breach
Notifying the Right People
Once you’ve assessed the breach, it’s time to get your apology letters en-route to the impacted patients. HIPAA requires covered entities to provide individual notifications “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” The specifics of what should be included in individual breach notifications can be found in our related article: What is the Breach Notification Rule?
Reporting in a Timely Manner
Considering the fact that 60-80% of data breaches go unreported, notifying the HHS (and any additional state-specific parties if applicable) is an essential step that is too often missed. HIPAA law drives home some pretty specific reporting timeframes that require:
- Breaches impacting 500 or more patients be reported within 60 days of discovering the breach.
- Breaches impacting fewer than 500 patients be reported within 60 days from the close of the calendar year that the breach occurred (a.k.a March 1, 2022, for minor incidents that happened in 2021).
The HHS has made it clear just how important timely notification is in reducing penalties resulting from a breach and has levied several fines, including a $2 million settlement with a hospital, for failing to report on time. So regardless of the number of people impacted, once a breach has been assessed and individual notifications have been sent, we recommend setting the HHS Breach Reporting Web Portal as your next destination.
Documenting in Entirety
Another step that practices too often speed past is documenting their breach response in entirety. With documentation usually taking the driver’s seat when it comes to proving the action your practice has taken in handling an incident, it’s important to keep a record of the breach analysis and reporting process for up to six years following the incident.
Mitigating Further Risk
And finally, whether it’s enhancing staff training, implementing stronger safeguards or just ensuring that your patient’s security remains a top priority moving forward – handling a data breach means mitigating whatever fueled it in the first place and taking measures to prevent any future incidents from happening down the road.
Some final words of advice? If you have experienced a breach in 2021 and have yet to report it – you should probably get the pedal to the metal before the deadline passes. And if you haven’t experienced a breach and want to keep it that way, having a complete HIPAA and security program are great places to start.
So while accidents aren’t always predictable or preventable, having safety measures in place – whether it’s a seatbelt or technical controls – can reduce your risk of an incident and help minimize the damage if there is.