What does a Health Insurance Portability and Accountability Act (HIPAA)-related “incident response” mean to your organization and your oncology practice? Multiple articles and letters have been written on the subject, and the one thing that almost every author agrees on is that incident response must be a team approach: it must be embraced by the top, and permeate throughout the rest of any organization for it to work. If you had to stop and ponder that question, chances are your organization is in need of a documented and communicated incident response protocol. Before discussing a good incident response system, it is important to remember that prevention is always the best medicine. Prevention of incidents comes in many forms. Chief among them are:
- Training Ensure that your staff is trained at least annually on the HIPAA rules, to include breach notification.
- Develop policies and processes for reporting Who is the privacy and/or security officer? What constitutes an incident? What form is used to report an incident? What is the time frame within which one must report?
- Professional information technology (IT) support No matter how small the organization or the practice, someone standing guard at the perimeter is of utmost importance. Managed antivirus, firewalls, and network monitoring are a must for every organization. If you do not have these, you do not know who is lurking in the dark corners of your network.
Protected Health InformationOnce a good defense related to “protected health information” (PHI) is put in place, it is time to monitor the system. You must be able to detect a PHI-related incident so you could respond to it appropriately and in a timely manner. Most of an organization’s methods of detection will be electronic. This explains why having professional IT support is crucial. IT support will use methods of protection and detection to include managed antivirus software, firewalls, integrity checks, and network access logs. Another equally important method of detection is auditing. Every single employee who accesses PHI should have his or her own unique user ID and password. Employees’ access should be monitored though their unique credentials. As a practice manager, you should run audits that help you detect changes or negative trends in the following situations:
- Failed and attempted log-ins Is anyone attempting to use an employee’s credentials, especially outside of normal working hours?
- Remote access Who is authorized to access PHI, and when are they accessing it?
- Daily review Does access into patient records look appropriate? Are changes in the patient records made by appropriate personnel?
- High access or high print activity Are employees accessing or printing more than what would be considered normal for their function within the organization?
- Hard drive auditing Who ensures that no PHI is saved to the hard drive? Employee workarounds are a common reason to find files saved on a hard drive rather than on the network.
Addressing an IncidentIf an incident is detected, the next step would be to analyze what happened, and whether PHI was involved. From a HIPAA regulatory standpoint, if no PHI is involved, then there is no incident. You need to know where the PHI resides, how it is protected, who has access to it, and when that access occurs. Remember that with the HIPAA omnibus rules, we operate under the concept of a “low probability of compromise,” or “LoProCo.” The burden of proof is on the entity to demonstrate that there is a low probability that PHI was compromised in any incident so we can avoid notification. Regardless of whether PHI was involved in any incident, containment is of the utmost importance. If the incident involved an electronic process, can the problem be corrected, or can the cause be quarantined or removed from the system to prevent further incidents? If the incident is related to human error, what remediation will be put into place? Is there an appropriately documented sanctions policy to address employee errors?
Patient NotificationIf the incident did involve PHI, and the organization is unable to demonstrate LoProCo, then regulatory and patient notification is required. Patient notification is required within 60 days of the discovery of a breach. If the breach impacts less than 500 patients, regulatory notification can be completed on an annual basis. For any breach involving more than 500 patients, the organization is required to complete regulatory notification within 60 days of the discovery of the breach. In addition, media notification is required in breaches affecting more than 500 patients.
HIPAA Incident Review ProtocolAfter any PHI-related incident, a review of the incident, the response, and outcomes should take place. Knowing what happened and understanding how it happened can help your organization prevent future similar incidents. Questions to consider during this review include:
- Do policies and procedures need to be updated based on the findings?
- What additional training is needed for the staff?
- Is additional IT support needed?