Everyone knows that you call a plumber for a leaking pipe, a mason for a cracked stonewall, and an electrician to fix faulty wiring. However, when faced with an actual or suspected HIPAA data breach, many folks struggle with determining whom to call. Failure to have contacts lined up ahead of time may pose more than an inconvenience–any delay in bringing in experienced advisors to assist with breach investigation, response and mitigation may result in significant financial and legal consequences.
HIPAA covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s staff regarding how to respond to an actual or suspected breach. Among other things, the policy and protocol should include a roster of resources staff persons may rely upon, including legal counsel, forensic and IT consultants, public relations/marketing professionals, and human resources advisors. Given the necessity of responding to a breach promptly, covered entities and business associates should not wait for a breach to occur in order to start assembling a team.
In light of the risk of lawsuits or government enforcement, the first call to make should be to an attorney experienced in data privacy matters. The value in contacting an experienced attorney, aside from expertise in the legal requirements imposed by HIPAA and other state and federal laws that may apply, is that bringing in an attorney at the start may allow the covered entity or business associate to protect the subsequent breach investigation and response under attorney-client privilege. By doing so, the covered entity or business associate may be able to protect the confidentiality of damaging facts (such as investigatory reports citing failures in the covered entity’s or business associate’s privacy safeguards) from plaintiff’s counsel seeking to sue for damages. While there is no guarantee that asserting attorney-client privilege will be successful in all instances, having an attorney involved and directing the investigation from the start is often the only chance a covered entity or business associate has at protecting damaging information from litigants and the public.
Aside from legal counsel, covered entities and business associates should have a list of trusted forensic and IT consultants. When electronic protected health information (ePHI) is involved, consultants experienced in HIPAA matters are necessary. They may be needed to investigate a hack or ransom-ware attack; audit the online activities of a rogue employee; report on what information may have been on a lost or stolen mobile device; or recover data from a damaged hard drive.
Data breaches often result in considerable media attention, particularly when notice to the media is required. Protection of an entity’s reputation is crucial to retain customer and public trust and the service of a media relations professional is often invaluable. If employees are involved in the breach, seek advice from an HR professional prior to conducting employee interviews, sanctions or termination – particularly if a unionized workforce is involved.
A HIPAA breach is like a fire drill – you need to respond quickly and cannot ignore the warnings. Having the right team in place ahead of time will ensure a timely, appropriate and cost-effective response to the breach.