A data security breach is something all health care entities try to avoid. Inadvertent disclosures of personal or other confidential information caused by a breakdown in security expose health care entities to a host of liabilities (under both federal and state law). In addition, a security breach may mar a health care entity’s reputation and lead to a loss of consumer confidence. Most health care providers (such as hospitals and nursing homes) and health insurers have invested significant resources to protect the privacy and security of patient health information in response to HIPAA (Health Insurance Portability and Accountability Act of 1996). However, health care providers, as well as other types of health care entities that may not be directly covered by HIPAA (such as pharmaceutical and device manufacturers and group purchasing organizations), also maintain information that is just as sensitive, but is not protected by HIPAA. This information may not fall within an entity’s existing privacy and security policies, or an entity may not realize that such information should be carefully safeguarded as well.

For example, health care entities typically have detailed information on past, present, and prospective employees. This information may include Social Security Numbers (SSNs), tax information, fingerprints, signature samples, date of birth, salary and other compensation, bank account numbers for direct deposit, performance evaluations, disciplinary actions or complaints, home address and phone number, and much more. All of this information is, to a greater or lesser extent, considered personal, private, and generally "confidential." Some of the information could be socially or professionally embarrassing to the employee should it be made public. But worst of all, unauthorized disclosure of an employee’s confidential information may put that employee at risk for identity theft.

Indeed, the rise of identity theft has made data security an increasing risk area for all employers, including health care entities. In 2005 and 2006, several major health care providers reported breaches of patient and employee information. (Such breaches motivated the Centers for Medicare & Medicaid Services ("CMS") to issue "HIPAA Security Guidance" to provide covered entities with strategies for protecting electronic health information. For an overview of this Guidance see "HIPAA Update" on page 5). Data breaches can occur because of lost or stolen laptops, dumpster diving, dishonest employees, hacking, or for any other number of reasons.

There is no silver bullet solution to guarantee that a health care entity will not have to confront a data security incident. However, a carefully considered mix of administrative, physical, and technical safeguards (on top of existing HIPAA policies for those covered entities that are subject to HIPAA) will serve to minimize the likely incidence and impact of a breach.

So, what can health care entities do to prevent a data security breach?

  • Take Stock. Get an understanding of the quantity and nature of confidential information your entity gathers, stores, uses, shares, destroys. It is easy for the flow of confidential information to take on a life of its own as technology—and the processes, policies, and procedures of an entity—evolves over the years. Knowing what confidential information your entity has and how it travels within the entity is the first step in protecting it.
  • Develop a Realistic Policy for Safeguarding Data and Stick With It. Ideally, a data security policy will incorporate input from all employees who will be protecting the information on a day-to-day basis. What may sound like a good idea to a policy planning committee (e.g., encrypting all computers or requiring vendors to adopt certain information-safeguarding policies) may not be technically feasible or cost-effective, or may run at cross-purposes with existing policies. It is better to have a modest, practical plan that is actually executed, than a comprehensive plan that sits on a shelf.
  • Make Your Security Policy Multidimensional. Many security breaches happen because health care entities consider data security to be an IT issue. The best IT department in the world won’t stop a breach involving paper records, burglars, or disgruntled employees. Safeguarding data requires an administrative element—particularly ongoing management buy-in that is effectively communicated to employees. Safeguarding also requires a physical security element that involves thinking about how confidential information is stored, accessed, transmitted, and protected against intrusion, especially at off-site locations. And, yes, safeguarding requires an ongoing technical review of how technology is set up and used.
  • Keep Abreast of Best Practices. As of this publication, there is no federal statutory standard for protecting non-medical, non-financial personal data. The applicable standard is negligence, i.e., confidential information must be reasonably protected. Thus far, best practices are industry-specific and industry-developed. In the health care industry, the HIPAA Security Rule provides a good roadmap for best practices, even for non-HIPAA protected information. See 45 C.F.R. Parts 160 and 164 Subpart A and C. In particular, as previously mentioned, the recent "HIPAA Security Guidance" issued by CMS outlines a number of best practices for protecting electronic health information, such as implementing two-factor authentication for granting remote access to systems that contain health information.
  • Publicize It and Train on It. Protecting confidential information is the business of all employees, agents, contractors or volunteers who have access to confidential information that was entrusted to your health care entity. Widespread awareness of the importance of protecting all confidential information is the best defense an entity can have against a serious breach. If, despite its best efforts, a health care entity experiences a security breach, what should it do?
  • Have a Good Security Breach Response Policy and Follow It. The policy should state the entity’s intent to fully and completely respond to any report of a security breach, and its commitment to minimize the impact of any breach. The policy should require reporting any suspected security breach to one clearly identified management-level employee (e.g., a Privacy Officer). It should also incorporate the elements outlined below.
  • Assemble a Working Group. Once the Officer is notified of the breach (or potential breach), he or she should then assemble and lead a working group to investigate and respond to the breach, as appropriate. The group may be comprised of as many people as appropriate, usually a representative from the legal department and a person with responsibility in the affected department (e.g., Human Resources).
  • Investigate the Breach. The working group must thoroughly investigate the breach, including interviewing anyone with knowledge of the incident and conducting an examination of the physical and technical security.
  • Determine Whether to Notify any Affected Individuals. To the extent the security breach involves personal information, the entity should assess whether the individuals who are the subject of such information should be notified. This involves an assessment of both federal and state law. At this time, only 35 states have mandatory security breach notification laws. There are no federal requirements. The entity should also determine whether any policy, contract or best practice dictates notification of the affected individual(s). For example, where an individual’s Social Security Number, name and address is stolen, that individual may be at risk for identity theft, which may make notification prudent.
  • Consider Providing Affected Individual(s) With Assistance. For example, the entity may want to provide the individual with information on how to contact credit bureaus and freeze new lines of credit. The entity may also consider offering to pay for credit monitoring services.
  • Determine Whether to Notify Law Enforcement or Other Agencies. If the working group investigating the breach has reason to believe that the reported event involved a criminal act (e.g., credit card fraud), it should notify and cooperate with appropriate law enforcement authorities (e.g., local police). The working group must also determine whether any duty exists to notify state officials and/or consumer reporting agencies, and, if so, must make such notification.
  • Assess and Implement Other Mitigation Measures. The working group should consider, and implement, as appropriate, other methods to mitigate the impact of any security breach. This may involve enhancements to physical or technological security, additional employee training on specific privacy or data security procedures, and/or increased supervision over access to confidential information. Finally, individuals who violate a security breach policy should be disciplined, as appropriate.

In sum, it is critical that every health care entity have comprehensive privacy and security policies in place—including those for responding to a data security breach. In the event of a breach, an entity should immediately assess the specific factual circumstances surrounding the breach, remedy the breach at issue and the look for ways to systematically improve the way it protects confidential information in its possession.

This article is presented for informational purposes only and is not intended to constitute legal advice.