Developing Breach Notification Policies and Procedures: An Overview of Mitigation and Response Planning

by Harry Rhodes, MBA, RHIA, CHPS, CPHIMS, FHIMA

A successful breach notification plan encompasses more than just a method for promptly notifying the victims of a security breach event. To be effective the breach notification process must be part of a comprehensive information security plan. Three components are critical to a security breach notification plan:

  • Risk assessment. The organization's information security plan of action must be begin with security risk assessment. A security risk is a known, yet unrealized situation.
  • Trigger events. The security risk assessment should identify threats and vulnerabilities and establish a system to monitor for security breach events. The staff's ability to identify security breach trigger events will ensure prompt initiation of appropriate response.
  • Mitigation plan. The security response team establishes a security incident response protocol that clearly outlines the mitigation process.

Performing a Security Risk Analysis

A risk analysis is the foundation of any sound privacy and security program; it is also a requirement of the HIPAA security rule. From the perspective of security prevention, the risk analysis process is an appropriate method of identifying threats and vulnerabilities to medical information and determining if existing privacy and security controls are sufficient to prevent security breach from occurring.

A proper risk analysis involves a three-step process identifying, evaluating, and eliminating or reducing risk. These steps include:

  • Asset inventory and prioritization
  • Threat and vulnerability identification
  • Examination of existing security controls associated with addressing identified threats and vulnerabilities
  • Determining the likelihood of exposure to identified threats and vulnerabilities
  • Determining the impact (fiscal, workflow, etc.) associated with the exercise of a threat or vulnerability exploitation
  • Determining, prioritizing, and mitigating identified risks

The risk analysis should address the three types of security safeguards clearly articulated in the HIPAA security rule: administrative, physical, and technical safeguards. It should be noted that research indicates that the primary cause of security breaches is related to the people or business side of an organization's operations. Therefore it is no surprise that the most extensive section on safeguards in the HIPAA security rule does not focus on technology. It focuses on administration.

Establishing a Security Incident Response Team

The security incident response team should be selected from the organization's data integrity stakeholders. The team should consist of key individuals from the department chosen for their ability to establish and implement a sustainable security response process:

  • Health information services
  • Privacy officer
  • Information systems
  • IT security
  • Risk management/legal
  • Physical security
  • Admitting staff
  • Nurse auditors
  • Compliance staff
  • Clinicians involved in chart clean-up issues
  • Administration

Within many organizations a "silo mentality" approach to internal business operations exists, and departments have few reasons to cross paths. A cross-functional team encourages collaboration and resource coordination through business workflow policies and procedures, helping eliminate gaps in information management that provide opportunities for data theft.

The best plan of action is to ensure that everyone has a monitoring role. At some level the security incident response team must take steps to involve the entire organization staff, business associates, and the patient in the monitoring and mitigation process.

Developing a Security Breach Response Plan

Effectively responding to incidents of security breach requires the collaborative efforts of individual victims, HIM professionals, privacy and security officers, organizational leaders, and external stakeholders.

A proactive security breach response plan or policy clearly outlines the response process by

  • Identifying current and evolving federal and state laws applicable to breach notification, reporting, and disclosure
  • Conducting a preemption analysis addressing HIPAA's permitted disclosures to law enforcement (ยง164.512(2)(5)) versus state law, determining when there is a need for court order, subpoena, or patient authorization
  • Determining the organization's obligations to report or disclose to law enforcement or government agencies information related to security breach notification

The Patient as a Key Stakeholder and Partner

Individual patients and family members may be the first to learn about a security breach involving their health information. The organization must ensure these individuals know how to respond to a suspected breach:

  • Contact the health information manager or privacy officer at the provider organization or anti-fraud hotline at the health plan where the security breach appears to have occurred.
  • Request an accounting of disclosures from the relevant healthcare providers or health plans.
  • Take detailed notes of conversations. Write down the date, name, and contact information of everyone contacted as well as the content of the conversation.
  • Make copies of any letters or e-mail sent or received regarding the identity theft.
  • Work with the organization where the security breach occurred to stop the flow of information, review health record correctness, and determine where information was sent.

The organization should welcome and encourage reports of possible security breaches from individual patients and their family members. The established security breach reporting mechanism must be widely known and easy to negotiate. Although it is crucial that key staff members are trained in the intricacies of security breach reporting, it is very important that the patient or family member is able to approach any member of the staff to report a suspected security breach.

Consumer awareness is critical for timely detection of and thorough response to a medical identity theft incident. Organizations should provide a consumer response checklist to ensure proactive guidance and quick action. See Medical Identity Theft Response Checklist for Consumers.

Security Incident Response

  • Identify and immediately stop the source or entity responsible for breach
  • Carry out IT forensic investigation to gather evidence and determine course of events as well as identify electronic protected health information compromised
  • Identify and sequester pertinent medical records, files, and other documents (paper and electronic)
  • Communicate with consumers and stakeholders via e-mail or telephone to validate and respond to the incident
  • Track incident response and mitigate the security breach incident.

The security incident response team should be charged with developing a security response checklist and reporting form. AHIMA offers the following sample forms:

  • Data Breach Investigation and Mitigation Checklist
  • Security Incident Response Report Form

Designating a Communications Coordinator

Designating one individual to serve as communications coordinator eliminates the need to involve members of the security incident response team and leaves them free to investigate and mitigate the incident. The communications coordinator can serve as the single point of contact between the organization and the media. However, response team members should be prepared to share information with the communications coordinator.

Organizations may take into consideration the following key points when working with the news media:

  • Ensure that the communications coordinator has a clear understanding of the technical issues behind the incident so that he or she may communicate effectively and accurately with the media.
  • Communicate accurate and concise information; avoid communicating misleading information, which may result in damage to the organization's reputation.
  • Consult with legal counsel regarding the extent of information to be disclosed.
  • Avoid communicating technical details that may entice hackers.
  • Consult with investigative agencies to ensure that any details about the incident that may be used as evidence are not disclosed without approval.

Developing a Breach Notification Letter Distribution Process

The security incident response team should be charged with developing the process for distributing a breach notification letter.

The team should establish a mechanism to trigger a breach notification response to an identified security breach. Key members of the security incident response team should have the authority to initiate the breach notification process.

It will be necessary to identify, notify, and track each individual whose unsecured protected health information has been accessed, acquired, or disclosed.

The team should establish policies and procedures for tracking:

  • Discovery date and details of discovery
  • All notifications made within the required 60-day reporting period
  • All notification delays and capturing reasons for delays
  • All communication with the Department of Health and Human Services
  • All notification delays requested by law enforcement entities

Federal and state regulation establishes varying high-level content for notification letters. AHIMA offers a compilation of suggested elements and format in Model Breach Notification Letter: Content and Format.

The organization will require a mechanism to notify Health and Human Services of unsecured protected health information breaches involving 500 or more individuals immediately and unsecured breach involving less than 500 individuals annually.

Because the federal breach notification regulations affect business associates, the team will need to define the notification obligations between the covered entity and its business associates.

A successful breach notification process that ensures the prompt notification of victims and guides the mitigation response of a security breach event must be part of a comprehensive information security plan of action. An effective breach notification process begins with the establishment of front-end administrative and technical safeguards and concludes with an appropriate follow-through process that successfully addresses the damaging effects of security breaches.

Resources

AHIMA 2007 Privacy and Security Practice Council. "How to React to a Security Incident." Journal of AHIMA 79, no. 1 (January 2008): 66-70.

AHIMA e-HIM Work Group on Medical Identity Theft. "Mitigating Medical Identity Theft." Journal of AHIMA 79, no. 7 (July 2008): 63-69.

Chitvanni, Norma, et al. "Medical Record Security/Risk Assessment." AHIMA 77th National Convention and Exhibit, October 2005.

Harry Rhodes (harry.rhodes@ahima.org) is director of practice leadership at AHIMA.