|
|
|
|
|
|
|
|
|
|
|
Hospital Impact has been ranked one of the top 50 healthcare blogs by Wikio.
Blogs we like:
by Brian Lapidus
In the interest of full disclosure, let me note one fact: The title of this piece is a misnomer.
Why?
It's simple: You can't prevent a security breach.
In fact, when it comes to experiencing a data breach, the question is not if, but when. That's why an organization's security plan shouldn't focus on prevention alone.
Your organization must be in the best defensible position to handle a data breach when the inevitable hits.
This becomes increasingly important in the age of electronic health records, new regulatory requirements and increased pressure from oversight agencies, factors that have made it harder than ever for healthcare organizations to protect their patient's sensitive data and their bottom line.
So what can a healthcare organization do to ensure that "best defensible position?" Let's start with three essential protective measures:
1. Review contracts with business associates
It is imperative that every Covered Entity (CE) understand exactly where and how its data is stored with its business associates (BAs). This includes service providers, such as labs, as well as internal service arrangements like remote hosting or backup storage facilities.
This goes beyond due diligence. Contracts should contain strong provisions regarding data privacy and security, employee background checks and training, and detailed guidelines on what to do in the event of a breach.
Under HITECH, your BAs are required to notify you if they have a breach; however, as the CE, it will be your responsibility to notify the individuals and the appropriate federal entities.
Further, it is important to determine whether your data will be stored at an offshore facility. Depending on where it's located, the BA may be under no legal obligation to notify you in the event of a breach or to turn over evidence in legal discovery.
2. Get to know the 'double punch' and all other all applicable laws and requirements
The landscape of breach notification is becoming increasingly diverse, particularly for requirements involving Protected Health Information (PHI). Most organizations recognize that HITECH mandates breach notification by healthcare organizations, or those entities subject to HIPAA.
If your organization does not fit that mold, don't make any assumptions. You may still be accountable to state breach notification laws, which can be quite diverse.
The healthcare industry has to handle the notification requirements for not one, but two forms of highly-sensitive, valuable information: Personally Identifiable Information (PII) and PHI-what we like to call the "double punch."
HITECH deals with PHI, and there are five states or U.S. territories that also mandate notification in the event PHI is breached, but the definitions of what constitutes PHI vary by state.
What's more, there are 50 states and territories that have breach notification laws that relate to PII. This is a very complex patchwork of laws that is changing frequently, so it's critical for organizations to stay up-to-date.
3. Have a notification plan in place in the event of a breach
The HITECH Act specifies that notification must occur "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach."
Let's face it. From the moment an organization uncovers a breach, every second counts. That's why all healthcare providers are under pressure to develop and implement a breach preparedness and incident response plan.
But the initial response is only one component. Notification is tricky, and there are a lot of moving parts that are still evolving. Depending upon the number of affected individuals, under HITECH (and other applicable state laws) your organization may have to notify HHS, CMS, local media, state attorneys general offices, as well as affected businesses and individuals.
Your organization may also need to extend notification to your website and/or local media, in addition to establishing a toll-free number and a call center to handle inquiries from affected individuals.
Making matters worse, if you fail to meet these requirements and deadlines, your organization could be slapped with hefty penalties or fines. To avoid unnecessary heartache, make sure to include all aspects of notification in your response plans.
Brian Lapidus specializes in identity theft discovery, investigation and restoration and is COO of Kroll's fraud solutions division.
