Responding to a Potential Breach of Protected Health Information
february 7, 2018
By: Deanna Mool
Encountering a potential breach at your healthcare organization can be a stressful proposition. Your response to this situation will depend on the type of potential breach that has occurred. If the potential breach involves the mishandling of protected health information by a single employee, that is a more straightforward issue than a complex electronic issue.
Let's assume your cloud provider contacts your facility to indicate that your medical records have potentially been compromised. If the records are usable at that time, you may be able to go on with business as usual while working with your cloud provider to ascertain the extent of the problem and whether you will be required to notify patients of a potential breach. You will need to be diligent in determining the cloud provider’s response and may need the assistance of counsel to determine what to verify.
If the records are not usable, you'll have a much more immediate problem of moving to a contingency plan for maintaining services while your electronic medical record is unavailable.
If your business has suffered a direct ransomware attack or hacking incident, not only will you have to determine how to maintain services implementing your contingency plan, you also have to respond to the ransomware attack by limiting its impact on your system. This response may include taking individual work stations or entire systems off-line to remove infected devices. Again, the importance of a contingency plan for these situations cannot be overstated.
Assuming that your professional liability insurance provides cyberliablity coverage, or you have purchased cyberliability coverage in a separate policy, you will also notify your carrier as soon as possible. Most cyberliability policies contain coverage for legal services to shepherd you through the recovery process. Do not hesitate to tell your carrier who you prefer to have as your legal counsel. If qualified, the carrier will add your preferred attorney to their panel. Heyl Royster attorneys are frequently added to cyberliability carrier panels under these circumstances.
Once the immediate service concerns have been handled, it is important to be careful in bringing your systems back online. You may need to forensically image disks prior to wiping and restoring them. The failure to properly image an infected system or drive may mean you lose the chance to determine whether an actual reportable breach has occurred. While ransomware likely meets the definition of a breach under HIPAA, the breach may not be reportable to the Office of Civil Rights if you can show that the data was never accessed.
Because of the potential liability involved, your organization will need a thorough investigation of what happened and how to stop it from reoccurring. Your organization should have an internal committee that will review whether a breach has occurred and whether it is reportable. You do not want the decision for this potential liability to lie with one person. Further, Board approval of the decision to report a breach may be appropriate in this situation.
Truly the best defense against a breach is a great offense. You should have your risk analysis updated. You need to have policies in place on how you will respond to any type of breach. You need to train your staff on your policies and procedures so they know how to respond. Further, you should determine whether the purchase of a cyberliability policy makes sense for your organization.
Heyl Royster has experienced attorneys who frequently draft these response policies in advance of any problem, or after a problem, to prevent further issues. In addition, if the worst happens and your organization has a potential breach, Heyl Royster attorneys can counsel your organization and walk the organization through the process of responding to the potential breach. We will also guide you through the notification process. There are potential notifications that will need to be made to law enforcement. In addition, if HIPAA data is involved, there are notifications to patients, the Office of Civil Rights, and the Illinois Attorney General’s office which all have reporting deadlines. Finally, we will address any liability or enforcement matters to achieve the best possible result.