No business is immune to data breaches…and that includes the healthcare industry, which has seen an 18 percent increase in breaches since 2015, when the U.S. Department of Health and Human Services Office for Civil Rights started publishing major breaches it was investigating.
The increasing number in breaches—alongside a mid-2017 announcement to update to the Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool—have spurred many healthcare organizations to contemplate whether their cybersecurity efforts and privacy compliance efforts need to be improved and modernized. And for the most part, the answer is yes.
This is mainly because provider organizations struggle to meet the requirement to notify parties affected by a breach within 60-days. Delays—and therefore, non-compliance—typically stem from manual, inefficient processes for the initial reporting of events, risk assessment and breach determination, as well as the notification process itself.
That being said, provider organizations can typically ask the following two questions of their businesses to determine whether they are in good shape to be compliant with cybersecurity and privacy regulations or whether room for improvement exists:
- Is our breach reporting process integrated with other incident reporting activities?
- What currently manual steps in the process can be automated?
If you answered “no” to question one or are perhaps unaware certain processes can be automated, as indicated in question two, room for improvement exists. But the good news is risk management technology also exists that helps to automate the risk management process across the enterprise—including risks that can impact your cybersecurity and patient privacy efforts.
The right risk management technology will allow you to:
- Easily report privacy breaches affecting from one to 500+ patients
- Conduct standards-based risk assessments
- Manage breach notifications for individual and multiple affected parties
- Track compliance against notification timelines
- Conduct investigations and root cause analysis
- Track and trend data with advanced analytics to drive improvement
The benefits of such features will likely include: improved HIPAA compliance with breach notification lag performance analysis; reduced time needed to comply with OCR reporting requirements; and easier notification of affected parties.
When it comes to notifying affected parties, specifically, the right risk management technology will automate the entire process with mail merge capabilities that can integrate with affected party contact and other data. Pre-built, customized notification letter templates also simplify the process. All of this makes it less onerous to generate the required notifications, particularly when hundreds or thousands of affected people can be involved.
In addition, automation can also document these activities for you—adding date and time stamps to letter generation and even automatically appending copies of generated letters to patient contact records in your system, making it easy to demonstrate compliance if investigated by the OCR.
While the recent changes to the OCR HIPAA Breach Reporting Tool are fairly minor organizational and cosmetic improvements, other federal agencies, like the Occupational Health and Safety Administration, have made more significant improvements to compliance reporting with the launch of electronic submission portals. More than likely, it’s only a matter of time before HHS OCR follows suit. Thus, as HHS OCR works to bring HIPAA reporting up to the 21st century, healthcare providers need to ensure that they are following suit.
Read an article in Compliance Today from Riskonnect’s Jay Lechtman for more information on this topic.