In Part 1: “Unreasonable” Sources of Anxiety for Privacy and Compliance Professionals Abby G. Mitchell explored the ambiguity of contract language related to reporting breaches.
Part 2: Beyond the Timeframes: Reporting Protocols, Risks and Tools
There’s no shortage of case law in several industries that covers analyses of prompt notice and what is reasonable. Just last year the Office for Civil Rights (OCR) settled the very first delayed notification action and imposed a fine of $475,000. The stakes are only getting higher.
It’s critical to have quick and easy access to obligations that differ from HIPAA’s breach requirements in BAAs. The logistics should be carefully examined before sending a breach notice.
CEs and BAs should maintain a formal data breach response manual describing the response protocol tailored to its organization. The manual should be easy to read and focus on providing accurate and timely notifications to third party support, counsel, senior leadership, etc., and of course: impacted vendors. The protocol should be practiced by response teams at least annually as a tabletop exercise, during which specific points of contact should also be confirmed.
Healthcare organizations with hundreds, even thousands, of BAAs should consider exactly when and what information needs to be known before they are certain that PHI has been breached. This should be included as a critical step in the breach protocol manual.
This is where some of the ambiguous words and phrases come into play and the timeframe requirement in the Breach Notification Rule are found to be impossible to abide by or simply ignored. CEs want to know about data breaches as soon as possible, and some ask for immediate notification. The danger for both parties is the possibility of a knee jerk reaction that can cause inaccurate information to be released.
The reputations of all involved can be unnecessarily damaged by premature and/or inappropriate notification, so it’s important to wait for forensics to be completed.
For BAs, repeated “false positive” notifications will ruin the company’s perceived ability to provide services, and can jeopardize current and future business relationships. For CEs, the consequences can be quite costly, public, and require adherence to corrective action plans from the Office of Civil Rights.
In addition to requiring a BA to immediately notify a CE of potential or attempted breaches and all security incidents (see our post on “what does Security Incident mean to you?”), a BAA can contain a laundry list of information required by a CE that exceeds federal and state legislative requirements. It can most definitely be burdensome for a BA to address these additional, often unnecessary, requirements. Attention and time spent away from the essential elements of a breach analysis can compromise the ability to guarantee its accuracy and speed at which a notice will be delivered.
Words and phrases like “promptly” and “without unnecessary delay” will probably never be improved by clearer language in BAAs and other contracts. An organization’s best bet is to invest time to evaluate these terms in the context of the most likely set of circumstances for them. That way, response teams can be ready to respond and be armed with correct information. Evaluating and tracking these obligations is a daunting, if not impossible, task to accurately manage manually.
Enter Automation
The first step is to know the notification timeframes detailed in each BAA so those that align can be reviewed as a group and classified accordingly. Using an automated platform like PHIflow allows this analysis to be completed in just a few seconds based on a user’s own configuration requirements. This means an organization can finally see all their promptly, without unreasonable delay, and timely obligations in one view. PHIflow identifies and groups timeframes across thousands of BAAs, allowing the user to bundle and group notification times across their business partners. The groups can then be prioritized in whatever manner the organization prefers and presented in a table for ease of use—a process that will ultimately deliver the information needed to make compliance decisions around breach notifications efficiently and effectively – and of course, without any unreasonable delay.
Abby Mitchell is a privacy professional at CoverMyMeds, where she has served in multiple capacities as the company grew and then merged with McKesson Corporation in 2017. Her primary focus is information technology across the healthcare industry and how privacy, legislation, information security, product development, and contracts influence its development and management. She developed the company’s privacy program and created policies for privacy, compliance, risk management and security. Prior to joining CoverMyMeds, Abby worked at MemberHealth, one of the first Medicare Part D plans.