Kusserow on Compliance: Planning for HIPAA Breaches

There is an old adage about “work to reduce risks, but plan for the worst.” Many don’t follow this. Common types of breaches involve a lost or stolen laptop, PDA, or flash drive that has protected health information (PHI) stored on it. Paper breaches include faxing PHI to an incorrect number or person, mailing PHI to the wrong address or person, or failing to shred paper medical records or patient billing records prior to disposal. When such events occur, a lot has to happen quickly to meet the many obligations under the Breach Notification Rule. This includes notifying parties affected by the breach of unsecured PHI. The Federal Trade Commission (FTC) has similar rules relating to vendors of personal health records and their third party service providers, pursuant to the HITECH Act. In a surprising number of cases, clients have come to our firm to assist them with a HIPAA security breach of PHI because they were not prepared to meet all their obligations.

Dr. Cornelia Dorfschmid, a leading expert on the subject, notes that “all organizations and entities should have periodic evaluations of the security of PHI, but many don’t and fewer yet have plans in place for dealing with potential breaches.” At a minimum an evaluation should include a review of policies, procedures, and internal controls relating to protecting information, as well as ensuring all stored and transmitted data on internal and external drives are properly protected with passwords and encryption. This is precisely what the HHS Office of Inspector General (OIG) calls for when it speaks of “ongoing monitoring and auditing.” However, the biggest failure is not planning for the worst by developing contingencies for dealing with breaches, should they occur. This includes notification, but also handling questions from patients that have been alerted to the problem. The easiest part of reacting to a breach is meeting the notification obligations.

Breach Notification

When there is a breach of PHI, covered entities must make notifications to oversight agencies, such as the HHS Office of Civil Rights (OCR), but must also provide affected individuals with notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. This notification must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. Taking these actions must be done without delay and must include, to the extent possible: a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity (or business associate, as applicable).

Addressing Large Volume of Patient Calls

Depending on the magnitude of the breach, most organizations may not be able to answer a large volume of calls from patients and families once they receive written notification of a breach that involves their data. The real headache is when a breach involves thousands of people, who may be calling for additional understanding of the implications of having their data compromised. Few are equipped to have a dedicated line and staff to respond to what may be a flood of calls and what is not needed is for callers to be put on hold or have trouble getting through to a live person. The last thing needed is to admit a security breakdown creating a breach and then have patients feel the organization unresponsive to their concerns and queries. With stringent deadlines related to addressing PHI breaches, it is worth engaging in advanced contingency planning of what to do under those circumstances. Among the questions that should be answered is whether the organization is equipped to handle an influx of calls from disturbed and anxious patients and family members, and these calls may not be limited to office hours. If it is determined that a host of calls could not be handled properly internally, then consideration should be given to investigating what other options might be open externally.

Tips on Finding a Solution

  1. Establish a plan to handle a volume of calls in response to a potential breach notification
  2. Note: A hotline is NOT the right solution. It receives information, not dispenses it.
  3. Consider a call centers that provide information, in response to calls or calling out to people.
  4. Vendors considered for handling calls of this type should have experience with HIPAA.
  5. Ensure vendor has knowledgeable staff, as inexperience ones could easily aggravate matters.
  6. Finding the right external resource on extremely short notice may be difficult.
  7. The idea is to find competent vendors and their costs, but not to sign a contract until needed.
  8. Taking time to investigate options now, could save big headaches later.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.