When it comes to protecting patient information, data privacy and security compliance is becoming a critical regulatory issue for hospital board members. Now more than ever, health care executives — and those overseeing them — must be focused on preventing data breaches and responding promptly if they occur.
It is well-established in case law and by the Office of Inspector General that regulatory compliance is part of a board's fiduciary obligations. In its 2007 publication, "Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors," the OIG reiterated that board members are obligated to exercise good faith to ensure that there is a reporting system in place, and that it is adequate to bring regulatory compliance information to the board's attention in a timely manner. While the board's fiduciary compliance focus largely has been on fraud and abuse regulations, it won't be long before trustee liability will be tested in the area of privacy and security of patient information.
The recent HIPAA final Omnibus Rule underscores the need not only for data privacy and security compliance, but readiness to respond to privacy and security breaches. The long-awaited rule readdresses the breach notification requirements first enacted under the Health Information Technology for Economic and Clinical Health Act, and changes the game significantly by amending the definition of a data breach. A breach previously was defined as an inappropriate use or disclosure of protected health information involving significant risk of financial, reputational or other harm. The final rule (effective March 26, with compliance required by Sept. 23) states that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity can demonstrate a low probability that the PHI has been compromised.
This presumption that a breach has occurred is likely to make health care providers more wary than ever of failing to notify individuals of inappropriate disclosures of PHI. Since 2009, more than 21 million victims of large health care breaches, defined as affecting 500 or more people, have received notifications. This number may increase under the new regulatory approach. Overall, it means increased risks and potential costs to mitigate damage for affected individuals, manage adverse media attention and even defend against privacy liability lawsuits and regulatory enforcement actions.
Physical, Technical Measures
Avoiding the downward spiral of a data breach begins with physically securing PHI, whether it resides in the cloud, the filing cabinet or the surgeon's iPhone. Physical security must consider natural disasters as well as hackers and thieves and safeguard data both in brick-and-mortar facilities (including home offices) and in cyberspace. Medical devices, such as imaging machines, also may contain PHI that needs to be locked down.
HIPAA established physical security standards for protecting electronic PHI, covering everything from limiting access to information technology systems, to ensuring removal of PHI from electronic media before it is reused. Its mandates encompass both process and procedure initiatives as well as documenting reviews of security measures for electronic PHI, including reviews of information technology networks, electronic health record systems and infrastructure security software.
With data more frequently on the move via mobile devices of physicians and staff, giant strides in securing PHI come with one fundamental step: encrypting all systems on which PHI or other potentially sensitive data exist. What difference can encryption make? There are countless examples of health care providers' having to notify thousands of patients because a single laptop containing PHI was lost or stolen. If the data on the laptop had been encrypted, the organizations involved would have been immune both from HIPAA notification requirements and from obligations under most state breach notification laws. Encryption can prevent financial and reputational impacts, not to mention potential liability that could result from data on the loose.
Readiness to Respond
No measure of regulatory compliance or physical security will avoid all breaches. Nearly 95 percent of health care organizations responding to a recent Ponemon Institute study reported at least one data breach in the past two years. Forty-five percent reported more than five incidents in the same period. Costs ranged from $10,000 to more than $1 million.
Trustees must ensure that their organization is prepared to manage data breach events just as it would manage any potential threat to its finances and reputation. Fundamental to this preparation is a security incident response plan, or IRP. While each IRP will be unique to the organization it serves, all plans share some common aims. They facilitate the deployment of the right people at the right time to quickly assess and triage potential data incidents. Good IRPs outline the chain of communication and command for handling various types of incidents, and include a roster of prescreened resources that likely will be needed to contain an incident as quickly as possible, such as expert privacy counsel, forensic investigators, mailing vendors and call center staff who can help to identify and respond in the event that notification is required.
While the organization must move quickly to stay ahead of negative media attention and mitigate damages, accuracy is equally vital. Allow ample time to complete breach investigations and consult attorneys. Many organizations quickly have notified patients only to later recant when the completed investigation unearthed additional damage or revealed that data were not compromised after all.
IRPs should be backed by training so staff can recognize the symptoms of a potential problem and flag incidents for further investigation. Training also should encompass incident reporting and include walking team members through an actual incident response. Plans should be updated regularly and carefully reevaluated following an event for process improvement opportunities.
Investigating and responding to a data breach can be complex and costly even before legal defense expenses and regulatory fines and penalties begin to accrue. Prudent boards will review the policies and procedures that safeguard PHI to shield from damage their patients, the organization and the trustees themselves.
Katherine M. Keefe, Esq. (firstname.lastname@example.org), leads Beazley Breach Response Services, a unit of the Beazley Group, Philadelphia.
Sidebar - Are You Asking the Right Questions?