A health data breach is always stressful, no matter the size of the breach or organization. Upon discovering that a breach has occurred, the healthcare organization must painstakingly assess the scope of the breach and its impact on the organization and affected patients. In addition to this assessment, if the breach affects more than 500 individuals, it must be reported to the Office of Civil Rights (OCR) within 60 days of discovery, usually prompting them to investigate further. The well-known costs associated with a data breach include notification, credit monitoring services, lost revenue, and reputational damage. However, In addition to these, there are also associated costs when it comes to responding to any request or investigation from OCR, including:
- Diverting staffing resources away from daily operations
- Obtaining outside counsel and consultants
- Worrying about large fines and the “unknown”
When OCR is notified of a breach, it will inevitably want to receive detailed information about the incident. Healthcare organizations can expect to receive a “request for information,” which is the nice way that OCR lets you know they will be investigating the matter.
Diverting Staffing Resources
Once a data breach has been reported, OCR will want details on the specific nature of the breach. Compiling detailed documentation can be labor intensive, especially given the current tools used by privacy and security teams to manually identify and gather all of the necessary information. There has been recent adoption of AI-powered analytics that generates an alert and report of when accesses to patient data are suspicious. These analytics review every access to patient data within an organization, providing full insight into how its privacy posture is improving over time. Utilizing these advances in technology could hold the key to reducing the time associated with an OCR investigation by showing hospital leadership and OCR that technology has been implemented to reduce overall risk to the organization and ultimately prevent data breaches from happening in the future.
Healthcare organizations will also need to compile their HIPAA compliance policies and procedures as they relate to the breach under investigation as well as the broader organization. When OCR has requested information to be delivered promptly, gathering and organizing these documents can quickly become time consuming and costly when privacy teams have to hunt down each component of information and assemble it in a way that makes sense. Due to the amount of work associated with an OCR investigation, staff may not have sufficient time during the normal workday to complete all of their necessary tasks, resulting in staying late or having to be paid overtime, which can be become costly for the organization.
Obtaining outside assistance
Beyond staff time, it is often advisable to engage outside counsel or consultants to assist with the review of any response to OCR’s requests. This assistance demonstrates to OCR the seriousness with which the healthcare organization is treating the breach. An outside view may also be helpful in assessing operations and policies that are compiled in response to requests from OCR. Many times, the assessment will uncover non-compliance concerns that should be addressed within the organization as well as in a response to OCR. It’s important to note that it’s difficult to quantify the true cost of outside assistance, as it depends of the severity of the breach and how well the organization has prepared for breach response.
Worrying about large fines and the “unknown”
Commonly, an organization’s privacy and security teams are concerned about the impact the OCR investigation will have on the organization, wondering if OCR will impose a large fine or take some other sort of punitive action. Given the arguably unpredictable pattern of when OCR imposes a fine, every organization that experiences a health data breach will likely wonder if they will be the next headline - undoubtedly keeping CIOs up at night.
Further, when broader compliance issues are identified, there will need to be subsequent decisions made about what remedial actions will be taken. On the one hand, the decision can be made to incur the monetary costs of implementing new policies and fully evaluating all aspects of an organization. On the other hand, an organization can choose to roll the dice and wait and see if they experience another data breach. The latter approach is not advised given the current health data breach landscape, with 1.13M patient records breached in Q1 2018. If an organization takes its chances, unfortunately the most common posture, there is usually a lingering “what if” feeling that nags privacy and security teams, knowing they might be missing potential threats to the organization.
This stress associated with the “what if” concern can be alleviated when advanced analytics are used to audit every access to patient data, providing full visibility into how members of the workforce are accessing sensitive medical information. This insight, using artificial intelligence, provides privacy and security teams with the confidence to know that when inappropriate access to patient data occurs, they will be alerted immediately and can remedy the incident before it becomes costly for the organization.
There are many costs associated with a health data breach, including the time and resources necessary to fulfill any requests by OCR. As stressful as breach incidents can be for healthcare organizations, there are ways to better prepare and reduce the costs associated with these investigations. AI-powered analytics is one way to show OCR that the organization is taking health data security seriously and have taken steps to ensure better protection of patient data. To learn more about how artificial intelligence can help privacy teams better protect patient data, read an article in the June issue of the AHIMA journal.