HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How to Respond to a Healthcare Data Breach

HIPAA-covered entities that have spent time developing and testing a health data breach response plan will be able to respond more quickly to a suspected data breach and execute an efficient HIPAA breach response. Those that have not invested time and effort into planning, are likely to struggle to react quickly and delays can prove costly.

As the Ponemon Institute’s 2017 Cost of a Data Breach study showed, having a health data breach response plan helps organizations to execute an efficient HIPAA breach response. The faster the response, the easier it will be to contain the breach quickly and limit the harm caused. Organizations that are able to respond to a data breach quickly end up paying less in breach resolution costs. The cost of a data breach increases the longer it takes to respond and deal with the breach.

Cyberattacks and Data Breaches Are Inevitable

With hackers targeting healthcare providers for the protected health information (PHI) they hold, data breaches are no longer a probability but an inevitability. If fact, it is now highly likely that healthcare providers, health plans, and their business associates will suffer not just one data breach, but have multiple instances where patient health data is exposed or stolen.

If robust multi-layered cybersecurity defenses are deployed, employees are trained on internal data privacy and security policies, and individuals are told how to identify phishing emails and social engineering attacks, the risk of suffering a data breach can be greatly reduced. The risk cannot however ever be reduced to zero.

Please see the HIPAA Journal Privacy Policy

It is therefore vital for HIPAA-covered entities to develop a health data breach response plan that can be implemented immediately following the discovery of a cyberattack, malware infection, or other privacy breach. Being able to respond to a data breach rapidly, and execute a highly efficient HIPAA breach response, will help to reduce the damage to the HIPAA-covered entity and the harm caused to patients and plan members.

Your Health Data Breach Response Plan and HIPAA

Following any data breach, covered entities should assess the severity of the breach, the number of individuals impacted, the risk those individuals face, and any ongoing threats to the confidentiality, integrity, and availability of PHI.

After risks have been assessed, a risk management plan should be developed and implemented to address the vulnerability or vulnerabilities that lead to the breach. In addition to addressing specific vulnerabilities, reviews of policies and procedures should take place to determine whether policy or procedural updates are required.

HIPAA (See Breach Notification Rule) requires a breach report to be submitted to the Secretary of the Department of Health and Human Services. The breach report can be submitted via HHS’ Office for Civil Rights breach reporting tool. Different timescales apply depending on the size of the breach and there are additional requirements for data breaches exceeding 500 records (See below).

Notifications must also be sent to all individuals impacted by the breach, informing them of the nature of the breach, the types of information that has been exposed or stolen, what the covered entity is doing in response to the breach, and details on how affected individuals can mitigate risk.

In addition to complying with HIPAA Rules, healthcare organizations must also comply with state data breach laws. There are currently 48 states that have introduced data breach laws. Those laws may differ from HIPAA and could require faster notifications and the provision of credit monitoring and identity theft protection services to breach victims. State laws typically require a notification to be sent to the state attorney general. Healthcare organizations should check the data breach laws in the states in which they operate and incorporate those requirements into their health data breach response plan.

The Differences Between Large and Small Data Breaches

Following any breach of ePHI, the HIPAA Breach Notification Rule requires notifications to be sent to all individuals whose PHI was exposed or stolen. Regardless of the size of the breach, those notifications must be issued within 60 days of the discovery of the breach, although HIPAA covered entities should not delay issuing notifications unnecessarily.

For breaches that involve fewer than 500 records, the breached entity is required to submit a breach notification to OCR within 60 days of the end of the calendar year in which the breach was experienced.

For breaches involving 500 or more records, the breach notice must be submitted to OCR without unnecessary delay, but in no case later than 60 days after the discovery of the breach. Additionally, a breach notification should be submitted to a prominent media outlet in the area in which the covered entity operates and a substitute breach notice should be uploaded to the breached entity’s website, which should be prominently linked from the home page. These requirements should be details in your health data breach response plan.

Your Health Data Breach Response Plan

In order for an efficient HIPAA breach response to be executed, it is essential that a health data breach plan is tried and tested. All members of staff involved in the health data breach response plan must be made aware of their responsibilities in advance so they know how to act when a breach occurs.

The health data breach response plan should enable resources to be diverted to deal with the breach without majorly impacting the business. External experts will likely be needed to assist with a HIPAA breach response. It will speed up the process considerably if retainers are set up in advance. You should also find out what information they will need, such as access to logs, and be able to provide this information quickly. This will help to minimize costly delays.

A communications plan must be developed, so that in the event of a ransomware attack when systems are taken out of action, or when networks need to be shut down to minimize damage, everyone in the organization will know what is going on and how to act.

The IT department will be managing a considerable proportion of the breach response, so it is essential that IT department employees understand what must be done, and in what order. The IT department should know how to quickly perform password resets, shut down parts of the network, know which accounts have administrator rights, and how to reset service accounts.

How to Execute an Efficient HIPAA Breach Response

What should the response to a healthcare data breach be? How should covered entities and their business associates respond to a suspected breach of protected health information?

Take a look at the infographic below. It summarizes a standard HIPAA breach response to a cyberattack or malware infection and details some of elements of a typical health data breach response plan and steps that can be taken to mitigate risk quickly, reduce harm, and limit patient churn.





Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.