Defending Yourself in the Event of an OCR Reportable Breach

Between 2009 and 2021, the Office of Civil Rights (OCR) received 4,419 data breach reports involving 500 or more medical records for healthcare entities. 

And that number just keeps growing. 

So, what can you do if you experience the loss of protected health information (PHI) that results in an OCR reportable breach? 

Read on to learn how to best defend your organization and avoid long-term penalties for a cybersecurity breach. 

Before the Data Breach: How to Prepare Yourself

Let’s start pre-breach. Why? Because the OCR is going to review your pre-breach compliance with the HIPAA Security Rule and your pre-breach remediation efforts to assess if you’ve been taking HIPAA seriously and have a culture of compliance. 

Pre-breach, protect yourself by completing an annual “Defendable” security risk assessment (SRA) per the OCR’s Guidance Document.  Yes, the OCR has guidance on how to protect PHI. The specific federal regulation is 45 CFR 164.308 (a)(1), a.k.a., the HIPAA Security Rule (CFR = Code of Federal Regulation). 

Within the HIPAA Security Rule, there are three categories of safeguards: administrative, physical, and technical. Each category of safeguards has multiple areas. After reviewing the safeguards, you’ll need to create a HIPAA risk plan of high, medium and low risks to PHI.

OCR Reportable Breaches: What Should You Do?

You’ve done all you can to prepare, but what happens when you experience a reportable breach? First, as soon as the beach is discovered, call your HIPAA attorney. Explain the situation and solicit their advice as to whether this loss of PHI is a Reportable Breach.  

If they say yes, then everything discussed (and going forward) is covered under attorney-client privilege (ACP). This means that everything is NOT discoverable during the OCR investigation. Use your attorney to submit your Breach Notification.  

An attorney is essential to this process, so don’t try to save money by reporting a breach yourself.  

The Clock is Ticketing: When Should You Report a Breach?

There are federal time requirements that dictate when you should report a breach.  States also have time requirements, with some giving you as little as five days to report a breach. Most importantly, be sure to seek guidance from your HIPAA attorney in a timely manner. 

Since you’re under ACP, now is the time to begin your due diligence. What happened? What are the forensics behind the breach? Find out:  

  1. How many patient records were affected 
  1. Which patients were affected  

If your due diligence identifies reasons for the breach (which may be because of hardware, software, infrastructure, people, policies, procedures, and more), then it’s time to harden that source as soon as possible.

Final Preparations for Reportable Breaches: Know What’s Coming

It’s important to understand the consequences and costs of dealing with a reportable breach. Prepare your organization and yourself for what you’re likely to lose, including: 

  • Money: A reportable breach is going to cost money.  HIPAA attorneys range from $400-$750/hour.  You will probably incur costs in OCR fines, buying patients identify thief insurance, etc.  
  • Time: Expect to spend hours spent working with your attorney preparing the breach notification, responding to OCR questions, etc.
  • Patient confidence: From the elderly patients who are worried and “don’t understand” to the parents who are concerned about their children’s identity – everyone is going to have questions. 

OCR Reportable Breaches: The Conclusion 

No healthcare entity expects to experience a cybersecurity breach…until it happens. The best thing you can do is ensure your organization understands what actions to take before, during, and after a potential breach in order to take a defensible stance. 

Many entities turn to healthcare compliance software to track and manage risk assessments, build a Book of Evidence, and complete compliance requirements that they can prove in the event of a breach. 

Improve your cybersecurity posture and prepare for the worst with a fully automatic, centralized software. Learn more about ensuring full HIPAA compliance by getting in touch with the HIPAA experts at Intraprise Health.