In This Issue
Scaling the Mountain of Patient Privacy
– Responding to Privacy Breaches
Scaling the Mountain of Patient Privacy -
Responding to Privacy Breaches
By
Pam Scott
As discussed in the last
issue, hospitals and other health care providers face constant
challenges in the areas of patient confidentiality and privacy as
technological advances increase the availability of and threats to
patient information maintained by providers, and as the epidemic of
identity theft continues. Ensuring the privacy and security of patients’
personal information is a commitment necessary for hospitals to avoid
potential regulatory sanctions, civil liability for breaches of health
care confidentiality or identity theft. The confidentiality and security
of patients’ health information is governed in large part by federal
privacy and security regulations adopted pursuant to the Health
Information Portability and Accountability Act of 1996 (HIPAA) and North
Carolina law governing patients’ rights.
In addition to taking steps
to avoid privacy breaches (as discussed in the August issue), the
commitment to patient privacy includes being ready and armed to respond
quickly and effectively to any breaches that may occur. Hospitals should
respond swiftly and seriously to any breach of patient privacy,
regardless of the number of patients affected.
Planning for a Breach
- A scan of the daily news headlines reveals that privacy and security
incidents involving the theft or compromise of personal data are
rampant. Unfortunately, given the steady increase in privacy breaches,
every hospital must assume that at some point in time it will be
affected by a breach that results in compromised, lost or stolen patient
data. Preparation is the key for a successful response to a privacy
breach.
-
Establish a breach
brigade now - a team of employees and consultants with a defined
chain of command and designated roles. This team should include,
among others, an individual familiar with your organization’s legal
disclosure obligations, an individual familiar with your
organization’s computer systems and information networks, and a
strong communicator.
-
Train and prepare your
breach brigade to manage your organization’s response to a breach.
-
Develop a specific plan,
tailored to your organization, to effectively manage your response
to a privacy breach. In developing this response plan, your
organization should consult with compliance advisors, IT experts,
legal counsel and other professionals involved in the maintenance
and protection of patient data.
-
Proper data backup and
recovery processes are key. Your organization must be able to
restore patients’ health or personal identifying information that is
compromised, lost or stolen.
There’s Been a Breach of
Patient Privacy -Now What? Because each hospital and every privacy
breach are unique, there is no one-size-fits-all formula for responding
effectively to incidents that compromise patient privacy. However, there
are a number of core principles that are critical to responding
effectively when a breach of a patient’s health information or personal
identifying information occurs, including the following.
-
Immediately contact your
breach brigade and implement your response plan.
-
Immediately contain the
breach by shutting down computer systems or networks that were
breached and seek return of the records or data at issue. Identify
and reconstruct the information stolen or compromised as quickly as
possible.
-
Immediately launch an
investigation of the breach, its extent, how it occurred, and how to
avoid similar breaches in the future. Assess damage to data,
computer systems and data networks.
-
Notify the police if the
breach involves theft or other criminal activity.
-
Notify affected patients
and their families as soon as possible so they can take steps to
guard against identity theft and inappropriate use of patients’
personal information or health data. It is important to cast a wide
net in identifying individuals who may have been affected by a
breach – better to notify individuals who are not in fact affected
than to fail to notify all individuals who are affected.
-
Take prompt remedial
steps to avoid similar breaches in the future, including changes in
work practices and security measures, additional training, and
disciplinary action against any employees at fault. Document these
remedial efforts.
-
If the Office of Civil
Rights comes knocking in response to a complaint regarding an
alleged HIPAA violation, consult your legal counsel and promptly
reply to the inquiry from OCR. Being able to demonstrate the prompt
steps taken to remedy a breach and ensure that such a breach will
not happen again will help cast your organization in the best light
before the OCR.
-
If adverse media
attention occurs, respond proactively after consulting your
organization’s legal counsel and, if applicable, designated public
relations resource.
Notifying Affected
Patients - When notifying patients and their families whose
information has been compromised, it is important to be simple and
succinct. Such notices should include at least the following.
-
The fact that a privacy
breach occurred or may have occurred and a summary description of it
-
The types of personal
information affected by the breach, including both information
confirmed to be involved as well as information that may possibly be
involved.
-
The fact that you are
investigating the breach and a summary description of steps you have
taken to mitigate the harm and any likely further steps.
-
Assurance of your
organization’s continued commitment to patient privacy.
-
Apology for any
inconvenience the data breach might cause.
-
Contact name and number
for more information, in the event affected patients or their
families have questions.
By creating and implementing
a privacy breach response plan that addresses the above issues,
hospitals can significantly enhance their ability to respond swiftly and
effectively to breaches of patients’ health or personal information.
For more information
regarding patient privacy issues, contact
Pam
Scott at 919.783.2954 or
pscott@poynerspruill.com.
Top
|
