The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

5 Best Practices for Healthcare Data Breach Incident Response and Reporting

Posted By on Feb 13, 2024

Healthcare data breach incident response and reporting is a key area of regulatory compliance for organizations in the healthcare industry, yet there are many examples in HHS’ Breach Report where the Office of Civil Rights has had to “provide technical assistance regarding [compliance with] the HIPAA Breach Notification Rule”. This implies that covered entities and business associates are failing to respond to and report healthcare data breaches in a timely manner.  

The Archive section of HHS’ Breach Report is a mine of valuable information about the true causes of HIPAA data breaches. Most of the 5,000+ entries have a dropdown box which reveals the nature of the breach, how it occurred, and the steps taken by the notifying entity to mitigate the consequences of the breach and to prevent it happening again. However, in more than 1,500 cases it is noted the Office for Civil Rights provided technical assistance regarding the HIPAA Breach Notification Rule.

Most of the 5,000+ data breaches were avoidable. Had the covered entity or business associate responsible for the breach implemented reasonable safeguards and provided adequate HIPAA training, many would never have happened. But while there may be excuses for security shortcomings and human errors, there are no excuses for failing to comply with the HIPAA Breach Notification Rule because the few requirements of the Rule need little understanding.

A further cause for concern is that the 5,000+ data breaches in HHS’ Breach Report are data breaches affecting more than 500 individuals. Each year, HHS’ Office for Civil Rights is notified of more than 60,000 data breaches affecting fewer than 500 individuals. If approximately one-in-three of the accessible reports indicate failures of healthcare data breach incident response and reporting, this implies up to 20,000 data breaches each year are not responded to or reported in a timely manner.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

What is a Healthcare Data Breach?

A HIPAA healthcare data breach is defined by HHS as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of Protected Health Information (PHI)”. As the Security Rule protects a subset of information covered by the Privacy Rule, the cause of a healthcare data breach can range from a nurse being overheard when discussing a patient’s health condition to a hacker misusing an employee’s credentials to access millions of records in a healthcare database.

It is important to be aware that since 2009, a healthcare data breach includes any event in which PHI is out of a covered entity’s or business associate’s control – i.e., due to a stolen laptop, ransomware attack, etc. Although it may not be possible to determine that an impermissible use or disclosure has occurred, a burden of proof exists for covered entities and business associates to demonstrate an impermissible use or disclosure has not occurred if not responding to or reporting the event.

It is also important to be aware that additional reporting requirements exist in some states, while other states exempt covered entities and business associates from reporting breaches of PHI, but not breaches of individually identifiable information maintained outside a designated record set (i.e., Colorado). Healthcare organizations should bear these additional requirements in mind when applying the following 5 best practices for healthcare data breach incident response and reporting.

5 Response and Reporting Best Practices

The following 5 best practices for healthcare data breach incident response and reporting are the minimum measures a healthcare organization should implement. The best practices follow a logical order and it is important they are conducted as quickly as possible. The longer an individual is unaware their personal information has been compromised, the less time they have to protect themselves against medical identity theft, fraud, and other misuses of the compromised data.

1.      Implement Internal Breach Reporting Procedures

The most important element of healthcare data breach incident response and reporting is getting a message to those responsible for response and reporting as soon as possible. In some cases, Security Incident and Event Management (SIEM) systems can be configured to automatically alert SOC teams to unauthorized network access, but it is more often the case a healthcare data breach is identified by a member of the workforce, a business associate, or a third party – such as a white hat hacker.

In such events, not only is it important for there to be an effective system of communication, but it is also important that internal breach reporting is encouraged by workforce members. It has been estimated that 40% of IT security incidents are “hidden” by workforce members because they believe they will get into trouble if they report them. Tougher sanctions will not resolve this issue, so organizations must develop a culture of forgiveness for IT incidents attributable to human error.

2.      Conduct a Risk Assessment to See if a Breach is Notifiable

While every breach must be responded to, not all are notifiable to affected individuals, HHS’ Office for Civil Rights, and – where applicable – State Attorneys General. Before notifying a data breach, HHS’ Office for Civil Rights recommends conducting a risk assessment to determine whether PHI has been impermissibly used or disclosed. The risk assessment should consist of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

It is not mandatory to conduct a risk assessment prior to notifying HHS’ Office for Civil Rights of a healthcare data breach; but if a risk assessment finds there is a low probability of PHI having been compromised – or that an exception exists to the HIPAA Breach Notification Rule – organizations can avoid the potential disruption of a compliance investigation. It is also a good business practice not to unnecessarily worry an individual that their personal data has been stolen if you don’t have to!

3.      Advise a Law Enforcement Agency of the Breach

There is a clause in the Breach Notification Rule (45 CFR §164.412) that permits organizations to delay making the required breach notifications if making the notifications would impede a criminal investigation. Without knowing what criminal investigations are ongoing – and notwithstanding that the FBI recommends reporting all Internet crime – it is impossible to determine whether a delay is justified without advising a law enforcement agency of the healthcare data breach.

In addition, it has been calculated that 35% of all data breaches in healthcare are attributable to “insider threats”. It may be in an organization’s best interests to request a law enforcement investigation in order to determine whether a breach is attributable to an insider, and whether it may be repeated. In all circumstances, the law enforcement agency will be able to advise the organization if the organization can go ahead with notifying the breach or if a delay would be advisable.

4.      Notify Individuals and Regulatory Agencies

Subject to the result of the risk assessment and law enforcement advice, individuals who are affected by the data breach should be notified of the data breach as quickly as possible. The content of the notifications and the method of notification are stipulated in 45 CFR §164.404, and it is important to note that the time allowed to notify affected individuals may be shorter in some states than the maximum of 60 days allowed by the by the HIPAA Breach Notification Rule.

With regards to notifying regulatory agencies, the notification requirements vary depending on the size and nature of the breach. For example, HHS’ Office for Civil Rights requires breaches affecting more than 500 individuals to be notified within 60 days, while the limit in Alabama is 1,000 individuals. In addition, in some states it is only necessary to notify data breaches attributable to cybercrime. In these cases, oral and paper data breaches do not have to be notified to the state.

5.      Address the Real Cause of the Breach

Returning to the Archive section of HHS’ Breach Report, many of the data breach descriptions claim the notifying entity or their business associate was the victim of an unspecified cyberattack, ransomware attack, or phishing attack. However, these events do not happen by themselves, and although cybercriminals have access to sophisticated malware, the cybercriminals still have to “get in the door” before the cybercriminals can deploy the malware and execute their attacks.

It has been reported that around 80% of data breaches categorized as “hacking and IT incidents” are attributable to weak, reused, and compromised passwords. Therefore, in terms of addressing the real cause of the breach, healthcare organizations should strengthen password policies, protect sensitive accounts with 2FA, and invest in susceptibility testing. Strengthening all users’ passwords – even those with no access to PHI – is the most effective way to prevent future data breaches.

Keeping Up To Date with Healthcare Data Breach Incident Response and Reporting Best Practices

Healthcare data security is an ongoing process – not only due to the increasing sophistication of internal and external threats, but also due to changing regulatory requirements. Keeping up to date with healthcare data breach incident response and reporting best practices could be vital to safeguard the confidentiality, integrity, and availability of PHI and – as has been proposed – to qualify for participation in CMS’ Medicare and Medicaid programs.

It can be difficult for healthcare organizations to monitor compliance with the healthcare data breach incident response and reporting requirements when compliance with other laws, regulations, and standards also has to be monitored. However, there are software solutions that can help resolve this issue, and organizations interested in investigating software solutions for keeping up to date with all healthcare compliance best practices are advised to seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist