In early 2009, a piece of federal legislation drastically changed the cyber liability landscape for health care organizations. The Health Information and Technology for Economic & Clinical Health Act (HITECH), which amended the Health Insurance Portability and Accountabilty Act of 1996), finally gave "teeth" to the federal scheme that provided for fines and penalties for breaches of HIPAA's privacy and security rules. Gone are the days under HIPAA of no reporting requirements after a data breach, and the modest sliding scale of fines and penalties from $100 up to $25,000 per violation.
Now, under HITECH, "covered entities" (health care providers, such as hospitals, physicians' offices, clinics and group health plans as defined by ERISA) are obligated to notify affected individuals no later than 60 days after discovering a data breach has occurred with respect to unsecured protected health information (PHI.) In addition, healthcare providers face a much more daunting sliding scale of potential fines and penalties-from $100 up to $50,000 per violation with a cap of $1.5 million per year-for violations that can relate not only to their preparedness (or lack thereof) to have prevented the breach, but also to the timeliness and appropriateness of their actions post breach. And that's just the story under federal law. Companion state privacy/data breach laws often contain more burdensome reporting and notice provisions than those under HITECH, and most differ with respect to notice triggers, timeliness and required content for notice, as well as whether and how state agencies must be notified after a breach.
How can a health care organization prepare to try to prevent a data breach and ensure that it has positioned itself as effectively as possible to mitigate the subjective assessment by the government, post breach, of fines and penalties under the new HITECH sliding scale? The answer is twofold: Invest time and the appropriate resources now (or risk paying more than you might have planned for later), and remember that the best defense is a good offense.
Investing appropriate resources now means not only fortifying your IT infrastructure as physical barriers to a data breach, but also complying with the training requirements under HITECH. All employees in your organization need to be educated and trained about their individual responsibility to maintain the security of protected health information-thus forming a "culture of compliance" barrier to a data breach. Following the mantra that "the best defense is a good offense," below are three key best practices your organization can implement to help mitigate exposure to a data breach and to help increase the likelihood of a favorable review by the government, if and when it subjectively evaluates whether fines and penalties, and if so to what extent, are appropriate in the case of your data breach.
First, an incident response plan, identifying members of the data breach response team and outside data breach/privacy counsel, should be developed, implemented, and regularly reviewed to monitor effectiveness.
Second, encrypt all portable electronic devices (including but not limited to laptops, smart phones and disc drives). If your PHI is encrypted, it is considered "secured" not "unsecured" information for purposes of HITECH. As such, you may have a safe harbor to the reporting obligations under HITECH (although your companion state law(s) may still require reporting). Obligations under HITECH aside, encrypting data is a strong preventive measure that you can point to when defending to the government at a post breach investigation your preparedness in securing PHI.
Third, you should have written indemnification agreements with all vendors and third party service providers-those entities that use, manage or transmit PHI as part of a service provided to your organization (also known as "business associates" under HITECH). Reports of health care data breaches resulting from vendor and third party service providers are on the rise dramatically. Ensure that vendors and third party service providers have data breach security controls and protocols commensurate with those of your own organization. These vendors and service providers can expose your organization to significant fines and penalties under HITECH based on their own preparedness for and responsiveness (or lack thereof) to a data breach with your PHI. Remember it is always your liability when a breach of your PHI occurs - no matter whether the breach was yours or that of your vendor or other third party service provider.
Robust risk management and preparedness for a data breach, coupled with an educated understanding of what your reporting and notification obligations are under federal and state law when a data breach occurs, will help ensure that your organization is better able to make sound and supported arguments against the assessment of any significant fines and penalties by the government post breach. In the case of cyber readiness for health care organizations, an ounce of prevention really is worth a pound of cure.