So You’ve Had a HIPAA Breach… Now What?
You’ve overseen your healthcare organization’s privacy program. You’ve monitored HIPAA compliance. You’ve established security controls to protect patient data. But a HIPAA breach still happened.
As hard as privacy and security officers work to safeguard patient information, data breaches have become a fact of life in the healthcare industry. Historically, healthcare breaches have affected over 59% of the United States population. When facing the aftermath of the exposure of patient data – which includes anything from PHI to personal identifiable information (PII) such as patient financial records and social security numbers – what steps can health organizations take after a HIPAA breach?
Make a plan
Before a breach occurs, it’s vital to have a plan in place to mitigate potential damage. Establishing a structured strategy like an Incident Response Plan (IRP) ensures that no essential actions fall through the cracks, including:
- Identifying the source of the breach and taking applicable disciplinary action
- Determining what information was involved and whether it was acquired or viewed by another party
- Containing the breach
- Reporting the breach to the Office of Civil Rights (OCR)
- Notifying those affected by the incident
- Preparing for recovery efforts
- Training and re-educating users
Reporting the breach
Once a breach has been discovered, it must be promptly reported to the OCR. According to the Department of Health and Human Services (HHS), breach notification by a covered entity will vary depending on whether an incident affected more or less than 500 individuals.
For breaches that affect less than 500 people: The OCR must be notified by a covered entity no later than 60 days of the end of the calendar year once the breach is discovered. Multiple breaches can also be reported on the same day if they affect fewer than 500 individuals, but they must complete a separate notice for each incident.
For breaches that affect 500 or more people: The OCR must be notified of a breach involving 500 or more people without unreasonable delay – within 60 days of discovery.
For a breach of any size, the HIPAA Breach Notification Rule mandates that an organization report on the following points:
- The type and amount of information involved, which include identifiers and the likelihood that the data can be used to re-identify a patient
- The identity of the unauthorized person who accessed patient records, or to whom they disclosed PHI
- Whether PHI was acquired or actually viewed by the responsible party
- The level to which the risk of a breach has been mitigated
Additionally, individuals affected by the breach must be notified as well via first class mail or email within 60 days of the incident. And for certain instances, breaches must also be reported to media outlets. For further details, refer to the HHS’ website for a thorough explanation of reporting requirements along with links to electronically submit a breach report.
Understanding HIPAA violation fines
A breach can be devastating to any healthcare organization, but there is a silver lining – in 2019, the HHS announced drastic changes to HIPAA violation fines, which reduced the maximum costs of HIPAA violations considerably. The new fines are based on four tiers:
Tier 1: No Knowledge: This applies to organizations that couldn’t have known about an incident and made a genuine effort to protect itself ahead of time.
Tier 2: Reasonable Cause: The health system either knew or should have known about the violation after performing due diligence, but the breach did not occur as a result of willful neglect.
Tier 3: Willful Neglect – Corrected: The HIPAA violation was caused by negligence, but steps were taken to quickly correct it.
Tier 4: Willful Neglect – Not Corrected: Applies to an incident caused by neglectful behavior when no action was taken to correct it within a reasonable period of time.
Organizations that proactively prepare for breaches by taking steps like establishing security controls, prioritizing employee training and retraining, and implementing Patient Privacy Monitoring for discovering potential incidents, can reduce their HIPAA violation fines significantly – maximum penalties have been reduced from $1.5 million to $25,000 for organizations that have taken reasonable steps to avoid a breach.
Implementing proactive monitoring
By providing early insight into user activity within your organization, proactive monitoring is an excellent way to mitigate future incidents or even stop potential breaches before they start – all while maintaining trust between health systems and patients.
After a breach involving two staff members in 2013, Sentara Healthcare knew they needed to begin monitoring proactively in order to strengthen their compliance posture. By partnering with a patient privacy monitoring solution, Sentara Health gained visibility into activity within their organization, streamlined workflows, and installed advanced analytic capabilities.
When a new incident occurred involving two high-profile patients and a devastating car crash, Sentara was able to not only immediately detect the breach, but they also utilized their new analytics tools to quickly investigate, identify those responsible for the unauthorized access, and resolve the issue.
“I think this incident resonated throughout the hospital when employees found out that some staff members were let go for going into those records,” said Sentara Healthcare Privacy Officer Normal Wild. “We’re able to communicate to the staff that we have this tool now. Now, all those times when an employee thinks, ‘Oh, we can go into the record, no one will ever find us,’ they know that’s not true, and that users’ accesses are being closely monitored.”
Providing training and re-education to all users
A breach can occur any time – and the causes aren’t limited to malicious intent. Falling for phishing attempts, curiosity, or even leaving a computer or workstation unlocked and walking away could easily lead to unauthorized access.
To prevent risks like these – as well as the dangers that insider threats pose – prioritize training and re-training for all users. When staff, students, and business associates have a thorough understanding of an organization’s privacy program, from the importance of protecting PHI and maintaining security controls to the consequences of disciplinary action in the event of a HIPAA violation, users will be equipped with the knowledge needed to prevent unauthorized access – along with potential consequences in the event of a HIPAA breach.
As a privacy, security, or compliance professional, you take protecting PHI seriously. But with the risk of hackers, phishing, ransomware, and insider threats, even the most cautious healthcare organization is susceptible to a breach. However, by establishing a plan, properly reporting incidents, establishing patient privacy monitoring, and prioritizing training, healthcare organizations are better equipped to mitigate the risk of breaches, potentially stopping them before they even start.