An Unhealthy Situation: Data breaches plague healthcare providers. Serious advance work can help.

Monday, September 21, 2015 - 15:23

Healthcare providers and health plans are among the most vulnerable organizations when it comes to data breaches. Failing to respond promptly yet accurately to a healthcare data breach can be particularly costly due to potential fines and penalties under the Health Insurance Portability and Accountability Act of 1996 and its associated regulations (HIPAA), under the HIPAA Omnibus Final Rule, which expanded HIPAA’s privacy protections and enhanced the enforcement capabilities of the U.S. Department of Health and Human Services Office for Civil Rights (OCR). A breach can also be costly due to damage to the trusting relationship that these organizations must maintain with their patients and members.

The bad news is that breaches are inevitable. The good news is that advanced preparation and planning can be achieved and give the organization the best opportunity for the best response. An effective breach incident response program allows a healthcare organization to quickly identify potential breaches, effectively investigate and analyze incidents, promptly comply with all applicable notification obligations, take corrective action to prevent similar incidents from occurring in the future, and demonstrate the organization’s commitment to the privacy and security of its patients’ personal information. The challenge is to get your organization to commit to implementing the program in a real and meaningful way. That can be achieved by doing the following:

1. Publicize the incident reporting process internally

You need to communicate the reporting process to your employees. HIPAA requires that patients be notified of a data breach as soon as possible, but in no event should notification occur more than 60 days after the discovery of the breach (or when a reasonable person exercising due diligence should have discovered the breach), and some state laws have accelerated timelines. A stolen smartphone, lost thumb drive, missing papers, misdirected fax or phishing emails all can be potential incidents. Employees need to understand what constitutes a suspected incident, their obligation to report such incidents, the person to whom they must report, and when and how. The simpler the reporting process, the more likely it is that the workforce will actually use it. Annual training and posting on the healthcare organization’s intranet, at a minimum, can be used to educate the workforce on when, how and to whom they should make a report.

2. Create a culture of HIPAA compliance

Employee training is a good start, but a true culture of HIPAA compliance starts from the top down. If HIPAA is embraced at the highest levels of your organization including the CEO, CMO, and CNO, the rest of the organization is likely to follow suit. Healthcare organizations that embrace HIPAA and invest in creating a culture of compliance are better equipped to respond to a data breach and any ensuing regulatory investigation. Every piece of a breach response program, from incident reporting to final resolution, will be fine-tuned if HIPAA compliance is an organizational priority. New employee orientation and annual required training, screenshots on computers, intranet pages, newsletter education vignettes, and one-on-one training all provide opportunities to reinforce a culture of compliance. The OCR has recently focused not only on privacy training but requirements for organizations to also conduct training on the HIPAA Security Rule.

3. Engage the C-suite

The C-suite not only helps establish the culture of compliance but also plays a critical role in a breach response. The important decisions involved in a breach response must often be approved by the C-level executives, including the CEO, CFO, CIO, general counsel and compliance officer. To make these decisions, they need to be familiar with the breach response plan, must be informed of the details of the incident and be sufficiently engaged in the process to avoid decision-making bottlenecks and delays. Depending on the size and expected publicity of a breach, the compliance committee of the board or full board also may need to be informed, and a media-trained spokesperson for the organization must be prepared. Open and transparent lines of communication with the C-suite early in the process ensure engagement and an effective and timely response. 

4. Retain experienced outside privacy counsel

No matter how strong your executive team, in-house privacy officers and attorneys, it may be that you need to retain an experienced privacy attorney who focuses solely on responding to data breaches, regulatory investigations and litigation in this area. Outside lawyers who deal with healthcare data breaches regularly are adept at handling breaches that require media notification or involve sensitive patient data or persons. They understand the applicable privacy laws and regulatory enforcement tendencies and can help your organization navigate all phases of the breach response process, including setting the tone and frequency of communication with patients, members, employees, the board, regulators and the media. They are also largely immune to internal influences and politics that could affect an in-house counsel’s decision-making process.

5. Develop a plan and form a team

A strong incident response plan can make the difference between panic and control when a breach occurs. Data breaches can be chaotic and unpredictable, occur at inopportune times and pose logistical challenges that can overwhelm your organization if you are not prepared. An incident response plan provides a roadmap for creating order out of chaos. It provides a process for investigating and managing an incident. It should not be rigid or overly detailed so that it will be adaptable to each unique incident. It also needs to include the key stakeholders in your organization. Privacy, compliance, legal and information security officers are obvious choices, but you should also consider including risk management, media/public relations, finance, physical security, human resources and operations. You should also run incident response drills, just as you drill on codes and your emergency management plan. 

6. Use outside forensics, where warranted

In an electronic data breach, determining what exactly happened is an important question but may be difficult to answer due to the widespread use of complex health information technology (HIT) in today’s health systems. Outside forensic firms can provide additional expertise beyond that of your in-house IT team, as well as forensic tools to determine what happened, whether PHI was actually viewed or acquired, and the patients that need to be notified. Outside firms efficiently analyze data security incidents every day and can answer complex HIT questions reasonably quickly. They can also provide an objective outside expert for your regulatory risk assessment and/or in determining whether a breach occurred.

7. Don’t forget about applicable state laws

State laws can raise complex legal issues and need to be considered in your plan. Currently in the U.S., Alabama, New Mexico and South Dakota are the only states with no laws related to data breach notification. Breach notification laws in other states require notification following incidents involving computerized/electronic “personal information,” which is typically defined as an individual’s name and Social Security number, driver’s license number, or bank account number and account access information. However, several states and Puerto Rico, with more and more amending their statutes, require notification following breaches involving residents’ health or medical information. These laws may overlap with HIPAA requirements and may have accelerated notification deadlines. The state laws are typically triggered by the state of residence of the patient, NOT where the hospital is located.

8. Establish relationships with fulfillment vendors and credit-monitoring companies

Notification following a large data breach can be a daunting logistical challenge some healthcare organizations may not be equipped to tackle. Fulfillment vendors can efficiently print, stuff and mail hundreds of thousands of notification letters and may also offer call center services that can help organizations effectively manage and respond to the flood of patient or member calls that follow notification. A good fulfillment vendor will also keep documentation regarding the proof of mailing and returns that the organization may need for regulatory purposes. Similarly, a credit-monitoring company’s services may be needed when financial information or Social Security numbers are included in a breach and can demonstrate your commitment to protecting your patients following a breach. These two types of companies may become the face or voice of your organization as patients avail themselves of these services.

9. Document investigations, risk assessments and steps taken

If your organization does not create and retain appropriate documentation following a breach, you run the risk of being unable to defend a regulatory investigation. But you should be cognizant of the threat of litigation when creating and retaining documents associated with a data breach, which includes email communications. Consult your legal counsel when developing documentation practices to make sure you properly address the application of attorney-client privilege, and don’t overlook the importance of a litigation hold when developing a breach response plan.

10. Consider cyberliablity insurance

Since it’s not a matter of if a breach will happen, but when, all healthcare organizations should consider cyberliability insurance to provide first- and third-party insurance coverage for a breach and the claims that may flow from it. First-party coverage may assist a hospital in responding to a breach by providing experienced privacy counsel, fulfillment vendors, credit monitoring, forensics companies and crisis management professionals. Most third-party policies will defend a healthcare organization in a regulatory investigation from the OCR or state attorneys general, third-party claim made by a patient or class action, and in some circumstances regulatory fines and penalties. This insurance coverage is becoming as commonplace for healthcare providers and health plans as general liability and employment liability insurance.

All of these steps can help a healthcare organization be better prepared when the inevitable breach occurs.


Lynn Sessions, a partner at BakerHostetler, has more than 20 years’ experience working with healthcare industry clients, having previously served as in-house counsel and director of several departments at a nationally ranked children's hospital. She focuses her practice on healthcare operations and regulatory work, with an emphasis on healthcare privacy and data security, breach response, and HIPAA compliance. She can be reached at