Scaling the Mountain of Resident Privacy:
Responding to Privacy Breaches
As discussed in last month’s
issue, long-term care providers face constant challenges in the areas of
resident confidentiality and privacy as technological advances increase
the availability of and threats to resident information maintained by
providers, and as the epidemic of identity theft continues. Ensuring the
privacy and security of residents’ personal information is a commitment
necessary for long-term care providers to avoid potential regulatory
sanctions or civil liability for breaches of health care confidentiality
or identity theft. The confidentiality and security of residents’ health
information is governed in large part by federal privacy and security
regulations adopted pursuant to the Health Information Portability and
Accountability Act of 1996 (HIPAA) and North Carolina law governing
residents’ rights.
In addition to taking steps
to avoid privacy breaches (discussed in last month’s issue), the
commitment to resident privacy includes being ready and armed to respond
quickly and effectively to any breaches that may occur. Long-term care
providers should respond swiftly and seriously to any breach of resident
privacy, regardless of the number of residents affected.
Planning for a Breach
A scan of the daily news
headlines reveals that privacy and security incidents involving the
theft or compromise of personal data are rampant. Unfortunately, given
the steady increase in privacy breaches, every long term care provider
must assume that at some point in time it will be affected by a breach
that results in compromised, lost or stolen resident data. Preparation
is the key for a successful response to a privacy breach.
-
Establish a breach
brigade now -- a team of employees and consultants with a defined
chain of command and designated roles. This team should include,
among others, an individual familiar with your organization’s legal
disclosure obligations, an individual familiar with your
organization’s computer systems and information networks, and a
strong communicator.
-
Train and prepare your
breach brigade to manage your organization’s response to a breach.
-
Develop a specific plan,
tailored to your organization, to effectively manage your
organization’s response to a privacy breach. In developing this
response plan, your organization should consult with compliance
advisors, IT experts, legal counsel and other professionals involved
in your organization’s maintenance and protection of resident data.
-
Proper data backup and
recovery processes are key. Your organization must be able to
restore residents’ health or personal identifying information that
is compromised, lost or stolen.
There’s Been a Breach of
Resident Privacy . . . Now What?
Because each assisted living
community and skilled nursing facility and every privacy breach are
unique, there is no one-size-fits-all formula for responding effectively
to incidents that compromise resident privacy. However, there are a
number of core principles that are critical to responding effectively
when a breach of residents’ health information or personal identifying
information occurs, including the following:
-
Immediately contact your
breach brigade and implement your response plan.
-
Immediately contain the
breach by shutting down computer systems or networks that were
breached and seeking return of the records or data at issue.
Identify and reconstruct the information stolen or compromised as
quickly as possible.
-
Immediately launch an
investigation of the breach, its extent, how it occurred, and how to
avoid similar breaches in the future. Assess damage to data,
computer systems and data networks.
-
Notify the police if the
breach involves theft or other criminal activity.
-
Notify affected
residents and their families as soon as possible so they can take
steps to guard against identity theft and inappropriate use of
residents’ personal information or health data. It is important to
cast a wide net in identifying individuals who may have been
affected by a breach – better to notify individuals who are not in
fact affected than to fail to notify individuals who are affected.
-
Take prompt remedial
steps to avoid similar breaches in the future, including changes in
work practices and security measures, additional training, and
disciplinary action against any employees at fault. Document these
remedial efforts.
-
If the Office of Civil
Rights comes knocking in response to a complaint regarding an
alleged HIPAA violation, consult your legal counsel and promptly
reply to the inquiry from OCR. Being able to demonstrate the prompt
steps taken to remedy a breach and ensure that such a breach would
not happen again will help cast your organization in the best light
before the OCR.
-
If adverse media
attention occurs, respond proactively, after consulting your
organization’s legal counsel and if applicable, designated public
relations resource.
Notifying Affected
Residents
When notifying residents
whose information has been compromised and their families, it is
important to be simple and succinct. Such notices should include at
least the following:
-
The fact that a privacy
breach occurred or may have occurred and a summary description of
it.
-
The types of personal
information affected by the breach, including both information
confirmed to be involved as well as information that may possibly be
involved.
-
The fact that you are
investigating the breach and a summary description of steps you have
taken to mitigate the harm and any likely further steps.
-
Assurance of your
organization’s continued commitment to resident privacy.
-
Apology for any
inconvenience the data breach might cause.
-
Contact name and number
for more information, in the event affected residents or their
families have questions.
By creating and implementing
a privacy breach response plan that addresses the above issues,
long-term care providers can significantly enhance their ability to
respond swiftly and effectively to breaches of residents’ health or
personal information.
Pam Scott represents a
variety of regulated industries and professionals in administrative and
civil dispute resolution, litigation and appeals pertaining to state and
federal regulatory compliance and penalties, and professional licensure,
as well as rulemaking proceedings. She may be reached at 919.783.2954 or
pscott@poynerspruill.com.
Top |
