Docs, You’ve Been Hacked. What’s Next?

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida health care providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point:

  1. Follow your privacy policies and procedures. You’ve kept your HIPAA and FIPAA policies and procedures up to date, right?   Use them.  Investigators place a great value on the fact that a healthcare provider had a plan in place and followed it. Additionally, having a procedure to follow in a chaotic time will help to keep you organized and the investigation moving forward.
  2. Contact your IT provider. Stop the bleeding. Get your IT provider in as soon as possible in order to stop the hack, to determine whether a disclosure has been made, the extent of the disclosure, what was accessed, how it was accessed and how such access can be prevented in the future.
  3. Contact legal counsel. Get your lawyer involved early. This will allow counsel to help you through the process, to analyze details as they arise, and\ to alleviate some of the time pressure later on.  Calling your lawyer on the last day is not in your best interest.
  4. Keep a journal. Ask anyone in your office who is involved in investigating the breach to keep a journal of what they’ve done each day between when the hack was discovered and when a decision is ultimately made whether to report it. These journals will encourage those involved to stay vigilant and will also become a part of the investigation file.
  5. Keep an eye on your timelines. Both HIPAA and FIPA contain time periods for timely disclosure. Note that FIPA’s timelines are shorter than HIPAA, meaning that you have less time to make disclosures to the State of Florida.

Reports must be made if there is a determination that a patient’s protected health information has been disclosed outside of the bounds set by law. Although news outlets focus on the large hacks, even the smallest disclosures (involving one or more individuals) must be reported. Every healthcare provider must notify the Secretary of HHS prior to 60 days following the end of any calendar year of every disclosure of less than 500 individuals made in the year prior.  So, if a physician office determines that a thumb drive with a patient’s X-rays was delivered to and accessed by the wrong patient, this must be disclosed to HHS along with any other breaches at the end of a calendar year.  Here is the link to make that report.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s