Disclosure Management in a Risky World
By Julie Knudson
For The Record
Vol. 28 No. 4 P. 22
Understanding obligations and developing a proactive plan help organizations be prepared for breach events.
The specter of the next big data breach looms large in the health care industry. Provider organizations possess huge repositories of treasure, with clinical information sitting alongside personal and financial data. From Social Security numbers to insurance identifiers and bank routing details, health systems have it all. Protecting those data from exposure, whether at the hands of a determined hacker or as a result of a negligent vendor or employee, is now at center stage.
As providers worry about avoiding a breach, a bevy of state and federal regulations have come onto the scene to help protect patients and consumers. Balancing both sides of the equation—legislators at one end of the scale and health systems on the other—is made more difficult by a steady stream of security threats that always seem to be one step ahead. Knowing the landscape as it exists today, and where the regulations and risks are likely to go tomorrow, can help providers develop an effective mix of protective and defensive practices.
Regulations, Responses Begin to Mature
With more experience under their belts, health systems across the board are becoming more familiar with breach regulations and how they translate into practice. Larger provider organizations have already familiarized themselves with the processes and laws. "Now I'm seeing even smaller facilities and small physician practices become more attuned to the regulations," says Rita Bowen, MA, RHIA, CHPS, SSGB, vice president of privacy, HIM policy, and education at MRO.
Small entities often felt distanced from the risks as well as the regulations. With the evolution of threats as well as laws, Bowen believes most have now developed a better understanding of where they fit in the broader picture. "In the past, if you went into a system where they had corporate support and a corporate attorney, then they had a perspective for an interpretation," she says. "In the smaller facilities, where an individual was wearing many, many hats, they may not have been as attuned to it."
The breach environment is a challenging one for provider organizations of all sizes. Exposure of protected health information (PHI) can occur across a vast—and vastly increasing—spectrum of touch points, from archived paper records to the numerous digital highways that carry information. "It's difficult to have the type of very tight disclosure management necessary to mitigate against improper uses and disclosures," says Ramy Fayed, a partner and health care practice leader at the legal firm Dentons. "There are ubiquitous threats of breaches, which can occur from either sophisticated hacking types of approaches or the less technical social engineering that we hear everyone talking about these days."
Complicating those challenges are the driving forces within the health care industry and at many levels of government to enhance the flow of information across the continuum of care. It's a combination that hasn't made security solutions easier to find.
As the regulatory landscape has become more settled, the various agencies involved in enforcing breach laws have evolved, says Sidney Welch, JD, MPH, a shareholder and chair of health care innovation in the Atlanta office of law firm Polsinelli. "I think the agencies have found their footing over the past couple of years in terms of what the priorities are," she says.
Even though groups under the Office for Civil Rights may assume a primary role where breaches involving PHI are concerned, it may not be the only one involved, depending on the specifics of the exposure. "We've seen, in the past 12 to 24 months, FTC [the Federal Trade Commission] tiptoeing into this purview, trying to establish a place at the table as well," Welch says.
Changes on the Horizon
As with many issues in the health care realm, breach prevention, notification, and response regulations continue to mature and develop a stronger focus. State legislation in particular has undergone recent changes. "California, which always seems to be at the forefront of laws, had a very stringent five-business-day notification period for certain licensed health care facilities," says Erin Fleming Dunlap, a shareholder in Polsinelli's St. Louis office.
That timeframe was proving to be difficult for providers, who were often forced to juggle investigating the cause and scope of potential security breaches, reporting requirements, and patient notification. "You can imagine by the time some of these incidents make their way through an investigation, it's tough to hit a five-business-day notification deadline," Dunlap says. As a result, the state added 10 business days to the deadline.
Regulators' approaches to data security and the effectiveness of breach response plans are also shifting. Barb Beckett, RHIT, CHPS, system privacy officer at Saint Luke's Health System in Kansas City, Missouri, says there is increased scrutiny around "facilities that may not have their policies and their processes in place and that are not fixing problems when one occurs and then is repeated."
Providers that suffer more than one breach are increasingly likely to see escalating penalties, Beckett says, a change she believes could have a positive long-term effect. "It's forcing facilities, health care providers, and business associates to enhance their level of information security and to make sure they do their regular routine risk assessments," says Beckett, who hopes more effective preventive measures will result in more secure patient data.
The challenge in front of health care providers isn't straightforward or even linear. The volume and value of the data they hold is enormous—and it's only going to multiply over time. Welch calls today's environment "the tip of the iceberg" when it comes to breaches and exposure risks. The good news, she says, is that as investigations are ramping up, entities are improving their response protocols and looking for other ways to boost security. "Companies are starting to systematize their processes to respond to what happens in the event of a breach," Welch says. Self-preservation concerns also are making issues such as loss mitigation and robust cyber insurance coverage more of a priority.
Naturally, the issue of data security is also influencing other aspects of how health care organizations do business. In fact, some organizations are looking for ways to use patients' security concerns as a competitive edge. "It may be that they can distinguish themselves from their competitors because of what they do internally to protect patients' information from disclosure," Welch explains. Turning an expense into an avenue for revenue growth may even be changing how health care systems approach breach prevention at a fundamental level, she adds.
Building a Strong Disclosure Management Policy
Lynn Sessions, Esq., a partner at BakerHostetler in Houston, says provider organizations are actively searching for ways to improve their defensive posture. Breach response plans are getting increased scrutiny at the corporate level, with more attention being given to proactively identifying potential vulnerabilities. "What we're starting to see is that organizations, particularly those that have sophisticated privacy and security officers, are drilling down on these things," Sessions says. "For example, with all of the phishing e-mails that were the basis of a number of the large hackings last year, we're seeing health care organizations starting to utilize software that will actually phish their employees [in order to] test their employees."
If staff fail the test and either open the e-mail or click on the potentially compromised link, the organization can provide education on the spot to correct the behavior and prevent a security gap down the road.
Effective disclosure management policies often are built on a broad base for incident response activities. A far-reaching platform can prove extremely valuable in a real-world breach scenario. "It's important to have the team established," Dunlap says, "one that pulls from different departments and different disciplines within your organization, because every situation is going to present a different set of facts and every incident is going to have its own nuances."
It may be necessary to immediately involve an IT expert, or the situation could call for some quick damage control from the public relations (PR) group. "You want people within your organization who have planned their approach as to how they're going to go about responding to these types of incidents," Dunlap says, adding that trying to make decisions about a course of action after the fact will only slow down the team.
With a complex landscape ahead, Fayed says that standardization—of data, protective measures, and defensive protocols—is key to managing data privacy. "It's looking at your entire enterprise and figuring out where all the in and out points are for uses and disclosures of PHI. Then you need to try to come up with a centralized or standardized way to manage it," he says, noting that this usually means close coordination between several groups, including the organization's privacy function, HIM, and IT.
A comprehensive plan is even more important when multiple EHR solutions or other platforms may be interconnected. "They don't all necessarily talk to each other or work well together," Fayed says. "Knowing about disclosures going out of one system vs disclosures coming out of another system, and figuring out a way to get that all centralized so you have a way to better track that type of variability, is an important component."
The best data protection strategies not only cross multiple departments but they also typically involve more than one company. Business associates are an important link in the security chain, one that providers must carefully monitor. Making these relationships stronger and more secure is something Sara Goldstein, Esq., general counsel at MRO, says is crucial. It all starts with the business associate agreement. "Those agreements may not be taken seriously, or the terms and conditions may not be fully understood," she says.
Goldstein encourages providers to review their business associate agreements periodically to ensure everything is in line with the organization's policies and expectations. "There was a big rush to update these contracts in 2013 related to the final omnibus rule," she says, "but I think it's time now for another review and maybe an update to bring them in line with whatever your standard business associate agreement is today."
Fill Gaps With Expert Guidance
Few health care organizations have enough resources in-house to adequately respond to a data breach. Even those with ample staffing may want to partner with experts experienced in managing the nuances of an exposure. Finding support around data breach risks and response strategies can encompass many avenues. Beckett suggests visiting the websites of groups such as AHIMA, HIMSS, and Health and Human Services—organizations with deep pools of helpful industry connections. "I always suggest that people go and look there because you can find vendors and information," she notes.
Asking peers for recommendations also can prove fruitful. Beckett taps into local networks when needed. "We have a group that meets every quarter on privacy, security, and compliance, and we ask, 'What software are you using? Who do you go through?,'" she says. Even if an organization has in-house expertise, such as a cadre of company attorneys, it still may be useful to ask if they know of breach-focused legal experts who can provide highly targeted direction should an exposure occur.
Simply identifying an outside partner isn't enough, though. Bowen says health care organizations should vet potential vendors before they're involved in any sort of breach response. "For example, if an event is large enough and you have to establish an outside call center, have you already made contact with someone to do that?" she asks.
Managing a flood of calls from concerned patients isn't something every call center vendor is trained or prepared to do. Keep in mind that responding appropriately to calls when PHI is involved is a different animal than dealing with consumers whose credit card information has been compromised. Some call center providers have little experience with the former. "Think ahead as to the worst event that could happen," Bowen says. "How would you respond? Then put those action plans in place so you're not scrambling when an event might occur."
PR is one area where most health care organizations can benefit from partnering with an outside expert. "On the PR front, you're looking for someone who knows how to do crisis management," Sessions says, noting that that's a skill set not found in every PR firm. "Their goal is to get your name in the news, but when you've got a data breach, you want someone to help you manage the crisis."
With facts and rumors sometimes competing for attention in the early stages of a breach investigation, it can be too easy to bungle the initial public response. "How are you going to have consistent messaging? How are you going to train your media spokespeople so that they understand how to stay on message and get the points across that are important?" Sessions asks.
The level of internal resources and expertise will naturally influence the type of support a breached provider requires. Help managing patient notification and similar victim assistance programs, which can be labor intensive, is sometimes best handed off to an outside company. "Some of these entities are very sophisticated and have great systems in place," Dunlap says.
Tracking which individuals have been impacted, which have already received notification, and how many have signed up for the offered services can be a significant challenge, particularly if the health care organization has been caught off guard by the breach. "As the number of affected individuals rises, these vendors can jump in quickly and say, 'Here's our system, here's how it works, and here's the exact information we need from you in order to provide our services,'" Dunlap says. The outside firm can then manage notifications and other aspects of the response plan directly, saving the provider time and effort that can be dedicated to other breach recovery tasks.
In addition to finding experienced outside experts to help deal with a breach, Goldstein recommends providers, regardless of size, strongly consider cyber liability insurance. "Depending on the policy, it might have built-in support," she explains. "In the event of a breach or improper disclosure, you may have a certain amount of money to spend toward a company that could come in and help you with the notification requirements, or that can help you do the forensics."
Data breach incidents typically are not covered by general insurance policies, a fact health care organizations may not realize. A separate policy, aimed directly at cyber liability events, is a solution that can provide financial assistance for the external expertise that will be necessary to carry the provider through the response process.
— Julie Knudson is a freelance writer based in Seattle.