Planning Ahead for Breach Notification

A Comprehensive Plan is an Essential Risk Management Step
Planning Ahead for Breach Notification
Many organizations are unprepared to adequately respond to a breach, says security expert Bob Chaput. "Breach notification planning is just a fundamental, basic part of risk management in the new millennium," he adds.

Healthcare organizations that fail to develop a comprehensive plan for notifying government authorities, as well as individuals affected, about a breach, as required under the HITECH Act, "are creating unnecessary risk" in addition to the risks inherent in the breach itself, Chaput says.

Unfortunately, many organizations have yet to train staff members on how to handle calls from those affected by a breach. "Taking calls for billing, customer service or the help desk is not at all the same skill set that's required for handling identity theft calls from irate patients," he notes.

In an interview, Chaput stresses the need to:

  • Understand requirements under the HITECH Act interim final breach notification rule as well as state breach notification laws and develop a plan for meeting those requirements.
  • Share information about breaches with patients as soon as it's available. "Come clean early and fully," he says. "Unlike wine, bad news doesn't age well."
  • Offer breach victims help with monitoring their credit ratings and "make it very, very easy to be contacted" about any questions.
  • Cooperate fully with the Department of Health and Human Services' Office for Civil Rights, which investigates breaches.
  • Revitalize your HIPAA privacy and security rule compliance program. In this way, the organization can demonstrate a "good faith effort to comply," which can help it to avoid higher penalties associated with willful neglect to comply.

Chaput is president of Clearwater Compliance LLC, a privacy and security consulting firm that helps covered entities and business associates comply with HIPAA and the HITECH Act. He formerly served as an operations and technology executive at GE, Johnson & Johnson and Healthways.

HOWARD ANDERSON: The Interim Final Breach Notification rule now in effect requires healthcare organizations and their business associates to report breaches to federal authorities as well as those affected. Many organizations are now focusing their efforts on preventing breaches, especially in light of more than 270 major incidents that the official federal tally so far. But should they also be developing a detailed plan for breach notification just in case an incident occurs?

BOB CHAPUT: From my perspective, absolutely yes. I believe that having a breach plan in place today is like having a disaster recovery plan in place for your data center 30 years ago. Without one, organizations are creating unnecessary risk on top of the inherent risk in having a breach itself. I think that breach notification is just a fundamental basic part of risk management in the new millennium.

Breach Notification Plan

ANDERSON: So what are the most important elements of a breach notification plan?

CHAPUT: We like to use the metaphor of a four-point compass. Therefore, there are four key elements, just like there are in any risk management or security plan.

First of all, an organization needs a policy. And this is the articulation of your values, your standards regarding expected behaviors. Think of it as the "what" of your plan. The next point of the compass is procedures, and these are detailed processes or steps that are followed on a day-by-day basis to do three things. Number one, first and foremost, prevent breaches. Number two is to triage incidents as they occur. And finally, number three [involves the] detailed steps that would be followed in the event of an actual breach.

The third point of the compass is around people. We encourage organizations to have an engaged and supportive executive team and an aware and informed workforce. [They also need a] crisis management team. [And they need to work with] ... business associates and their subcontractors ...

The fourth point of the compass is technology. So in addition to all of the technology that can be applied to help secure PHI [protected health information], organizations should look at using technology for incident management and breach reporting. Lots of organizations are cobbling together solutions using standard office suite tools. Others are building their own home-grown software. What is emerging is some commercial off-the-shelf software to help in incident management and breach reporting.

Overlooked Steps

ANDERSON: So when it comes to breach notification planning, are there particular details that many healthcare organizations tend to overlook?

CHAPUT: As you might expect, the gaps or the deficiencies are going to vary by the size, sophistication and type of organization. Let me place them in three buckets. What we are finding is number one - I'll call it the "unaware and the misinformed." At the very sad extreme there are many organizations that are not even aware of their obligations under the Breach Notification Interim Final Rule. Some are aware that such a thing exists, but they don't realize that it does have the force of law.

The second bucket, I'll call the "pre-breach unprepared." On a pre-breach basis, the single biggest mistake we are finding organizations falling into is simply failing to take basic preventive steps. A classic example is failure to do a risk analysis, to identify exposures and prioritize risk mitigation actions. In this domain, the specific, and I'm afraid to say ridiculous, example of failure to implement basic controls is illustrated by the number of organizations that appear on the list of major breaches on the Office for Civil Rights website.

The third category is the "post-breach unprepared." Post-breach, there are many organizations that are totally unprepared to scale and address what just happened to them. They fail on a capacity and expertise basis. If you think about it, taking calls for billing, customer service, the help desk - this is not at all the same skill set that is required for handling identity theft calls from irate patients or plan members.

Breach Notification Process

ANDERSON: What advice do you have about the details that are essential to include in letters to affected patients as well as notices posted on websites to help rebuild trust after a breach?

CHAPUT: First and foremost, understand the guidelines. Obviously at the federal level, we have the Breach Notification Interim Final Rule. But there are 46 states now that have privacy, security and/or breach notification laws. You need to know the guidelines, how they differ and what exactly is required of you in the affected jurisdiction. In many cases, you need to work with someone who is experienced in this regard.

The second thing is come clean early and fully. Unlike wine, lying about bad news doesn't age well. The interim final rule explicitly calls for a description of the breach, the types of information that were involved, steps that affected individuals ought to take to protect themselves, a brief description of what the covered entity is doing to investigate it and mitigate harm, as well as contact information.

The third point is clearly provide an offer of assistance to people. For example, help them contact or on their behalf contact the major credit reporting agencies like Experian or Equifax or TransUnion. Finally, make it very, very easy to be contacted by the organization. Don't make it a challenge to be reached.

Lessons Learned

ANDERSON: Are there any other lessons we can learn from the notification experiences of those organizations that have experienced major breaches so far?

CHAPUT: Number one: Get proactive and stay proactive. Form your team, set business risk management goals, and do your security evaluation and your risk analysis so that you can be moving in the direction of securing PHI. Build your breach notification plan, which is the theme of our entire session.

Number two, cooperate fully with affected individuals, the Office for Civil Rights, local media and anyone else involved. As I mentioned before, bad news doesn't age well, and lack of cooperation has caused, at least in one case, a huge penalty issued by the Office for Civil Rights (see: HIPAA Privacy Fine: $4.3 Million).

Finally, revitalize in your environment your entire HIPAA security and privacy compliance program. Be in a position of being able to demonstrate good faith and genuine effort to comply so you avoid being in a position of a finding of willful neglect. ...

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.