While we may not really want to think about it, data breaches happen daily in every business sector, and healthcare is no exception. In fact, quite the opposite: Healthcare is actually the most frequently targeted industry for cyberattacks, accounting for three-fourths of all hacks, and close to two incidents daily throughout 2022. This results in tens of millions of patient records being exposed online each year.
Part of the reason for this is that healthcare data is quite valuable to hackers, worth up to 50 times more than credit card data on the black market, according to a recent Trustwave report. With that incentive, many hackers have targeted the sector, resulting in even more threats to hospitals and medical offices.
The repercussions of healthcare data hacks go well beyond you and your IT team. Any irregular use of protected health information (PHI) is subject to HIPAA regulations and potential fines. Further, according to the HIPAA Breach Notification Rule, all organizations are required to follow a specific set of steps if they think a data breach has occurred.
Because of this, it’s very important to understand the steps your organization will need to take if you think a breach has occurred.
What exactly is a PHI breach?
First off, it’s important to actually understand what HIPAA outlines as a PHI breach. The official definition is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information,” according to the U.S. Department of Health and Human Services. This means organizations have to think about:
- What kind of data was involved in the breach, including any information that can result in being able to identify a patient
- Who disclosed the information and to whom it was disclosed
- Whether the PHI was actually taken or viewed by another party
- Whether the risk of exposure has been mitigated
The HIPAA Breach Notification Rule has a “guilty until proven innocent” approach. HIPAA assumes any impermissible use or disclosure of PHI is a breach unless your organization can prove there is a low probability that the information was compromised or used based on the above factors.
There are some exceptions to these guidelines, but, in general, they require the information to either have been inadvertently accessed by someone who would normally have access to similar information at your organization or inadvertently forwarded among such people. This means that if any outside parties were involved, then you’ll need to report it to HIPAA.
“HIPAA, we have a problem”
So, what do you do if you think a breach has actually occurred at your office? The good news is that HIPAA requires a very specific protocol, which takes a lot of guesswork out of the equation. The bad news, though, is that there are many steps to follow.
Entities are required to notify any individuals impacted by a PHI breach within 60 days of discovering the breach. This notice must be sent by first-class mail unless the individuals have previously agreed to receive information from your office by email, in which case email is acceptable. However, suppose your patient information is determined to be insufficient or out-of-date. In that case, you will also need to post a notice on your website for at least 90 days – and it only takes 10 incomplete or out-of-date patient records to trigger this requirement.
Further, you must maintain a toll-free number for impacted individuals to learn about the breach for at least 90 days from the incident’s discovery.
For all these notifications, HIPAA also provides specific requirements for what information must be shared with individuals. This includes:
1) a description of the breach;
2) the types of information involved in the breach; and
3) what steps individuals can take to prevent or mitigate further harm.
Organizations also need to include a fourth piece of information: What steps they are taking to investigate the breach and prevent it from happening again in the future.
Larger breaches will also require more actions by the healthcare organization. Any breach impacting more than 500 individuals will require you to notify media outlets via a press release within 60 days of discovering the breach. You must also officially notify HHS through a breach report form, as the HHS’s Office for Civil Rights (OCR) will post this information on a public portal.
Even if the data breach impacts fewer than 500 people, you will still need to report the breach to HHS within 60 days after the end of the calendar year in which the breach was discovered.
Steps for your organization to take
Outside of HIPAA requirements, it’s a good idea to have an internal plan in case the worst happens. While this may sound pretty straightforward, not all offices have this in place – in fact, according to a 2021 HIPAA survey, almost 30 percent of organizations didn’t have a formal risk management plan, and almost 20 percent had no response plan policies or guidelines at all in case of an incident.
If you don’t have a plan in place, consider these steps to at least get started:
- Step 1: Verify and Analyze
The first thing to do if you think you have had a breach is to confirm that a breach has taken place and what type. This is not only important for reporting but also for your recovery. Be sure it’s not a false alarm, and verify that data has been compromised. - Step 2: Close the Loop
If you’re sure data has left the building, don’t leave a draft: Close that door immediately and ensure that this type of incident cannot happen again. Work with systems experts to be sure you’ve found and eliminated the vulnerability. - Step 3: Notify Authorities
As noted above, you must contact HIPAA and HHS if you know there’s been a breach. Follow their guidelines closely to ensure compliance and reduce the chance of fees or penalties. - Step 4: Notify Affected Patients with an Action Plan
It’s a good idea to overcommunicate with patients to ensure they are all reached and also that they can see that your organization is taking the issue very seriously. Part of that communication needs to include what you’re doing to be sure this kind of problem will never happen again so that they can feel more reassured. - Step 5: Upgrade/Amend Systems where Possible
If the breach was due to an outdated or suboptimal system, this is your opportunity to improve or upgrade your technical tools to ensure you won’t have this issue again.
One of the best ways you can take is to ensure you have HIPAA-compliant technology already in place. These systems build in privacy and security from the beginning. They can greatly reduce the chances of breaches occurring in the first place and limit their extent if they happen.
For example, RingRx’s VoIP solutions for patient communication, phone systems, information management and patient portals are all based around HIPAA protocols, helping organizations more easily ensure compliance and security. Similarly, look at your other IT and records management systems and processes, and see where you can implement better solutions that will better support HIPAA protocols and reduce the potential for human error.
By preparing for the worst and upgrading your systems for the best, you and your organization can be ready to handle whatever comes your way – even in today’s ever-changing cybersecurity landscape.
If you’d like to understand how RingRx helps ensure HIPAA compliance, please download our whitepaper here.