Healthcare is plagued by a high frequency of reported breaches. Although they are often caused by employees making mistakes, such as misdirecting a fax or losing a thumb drive, we are seeing more and more breaches caused by malware, phishing scams, and hacking. We have worked with healthcare entities in responding to data breaches, including breach analysis and notification obligations to patients, the media, and regulatory agencies.
Unlike any other industry, when a healthcare organization is dealing with a breach involving over 500 individuals, not only is the organization required to report the breach to the media, but the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will assuredly conduct an investigation. Increasingly, our clients are also seeing inquiries from state attorneys general, who have enforcement authority under Health Insurance Portability and Accountability Act (HIPAA) as well as the state laws.
Our team has helped healthcare entities manage the response to hundreds of privacy and data security incidents, including about half of the top 12 breaches announced to date. That experience, along with the experience of defending over 100 OCR and state attorney general investigations, has enabled us to provide clients guidance regarding regulatory hot buttons:
- Risk Assessments and Risk Management Plans
- Vendor Management
- Incident Report and Process
- Encryption of Devices
- Third-Party Access to PHI
- Inventory of PHI and ePHI
- Staff Education and Sanctions
- Business Associate Agreements
- Security Rule Compliance (firewalls, antivirus protection, patching, etc.)
Taking proactive steps toward compliance can be overwhelming, but if the organization focuses in the right areas, achieving compliance is more manageable. We are working with more and more healthcare organizations to help them prioritize responding to gaps in their compliance programs that go beyond vendor contract issues and sometimes seem almost insurmountable if not tackled in a practical way. At times, closing the gaps is quick and easy, such as by adding a few slides to a workforce education program to reinforce how to avoid some of the common mistakes that result in a breach. In other cases, we can help guide risk assessments under the protection of attorney-client privilege or work product protections and subsequently help prioritize the efforts set forth in the risk management plan based on what the regulators are looking for in the investigations we are defending.
We can also help organizations develop programs that meet the periodic risk assessment requirements of HIPAA in a cost-effective, thoughtful, and practical way. HHS’s own guidance tells us that flexibility is built into HIPAA compliance and that the approach taken will depend on unique considerations for the organization. Partnering with practical lawyers who focus on these issues daily and have a direct dialogue with the regulators who will be judging your state of compliance is critical before a breach happens. Indeed, even the Indiana Attorney General’s office is now recommending that outside privacy counsel be engaged to help address compliance issues around privacy and security of personal information. In working with clients on these issues, we get a front-row seat to the important issues coming from the regulators.
Healthcare organizations generally understand the need to be prepared for unexpected incidents. With the evolving world of healthcare privacy and HIPAA compliance, an entity cannot be too prepared. We work with clients in developing multidisciplinary incident response plans tailored to the entity’s needs, as well as HIPAA and state privacy law policies and procedures. We recommend the incident response team conduct drills on the incident response plan so that each person knows what to do in the event of a breach. With a focus on all of these things, not only will a healthcare organization be better prepared to respond to a breach, it will be in a better position to prevent one from occurring at all.