We know you have questions. In Part One of a planned series of articles to look at the basic considerations of Incident Response best practices, let’s start with understanding who is required to report a security incident to regulatory authorities, government agencies, or consumers/patients. In follow-up articles, we will also review when an incident must be reported, what is to be reported/documented, and where different reporting requirements come into play.
Disclaimer, we’re not a law firm and I don’t provide legal advice. The nuances of regulatory language and of each organization’s unique considerations depending on the type and severity of a potential breach can be extremely complex but I think these guidelines can point your team’s Incident Response & Reporting Strategy in the right direction.
Notification of Breach Under HIPAA
HIPAA’s Breach Notification Rule is very specific about notification responsibilities in the event of stolen, lost, or compromised patient health information (PHI or ePHI). What must be disclosed and how depends on the nature of the information compromised, the number of customers or patients affected, and on the validity of the contact information you have for those affected.
Regardless of the number of patients or customers affected, begin by notifying individuals in writing by mail or email (if they previously agreed to receive such notifications electronically). This notification should include details about the nature of the breach, what steps they should take, an explanation of the steps you are taking, and contact information for any questions they may have.
If more than ten of the individuals affected by the breach or data loss cannot be reach by mail, your company is required to make public announcements in print or broadcast media to make a concerted effort to reach anyone who may have been affected. You would also be required to provide a toll free number for information.
If the incident affected less than 500 people, you have until the end of the current calendar year to report the breach to the Secretary or Health & Human Services. If the breach affected more than 500 individuals, it must be reported right away (within 60 days). In the event of a large breach, you are also required to provide notification to major media outlets wherever affected individuals may reside.
While you make the appropriate notifications to the media and regulators, you may need to seek out marketing, public relations, compliance, and potentially even legal advice. If the nature of the breach is potentially harmful to your brand, you may need to go beyond the notification requirements to reassure customers and patients that you are working hard to correct the situation. You may also need help investigating and presenting the details of the incident to officials. It is wise to have such experts lined up and prepared for any critical security situation that may arise.
HIPAA places primary responsibility for notification on the covered entity. However, we are seeing business associates considered increasingly liable by OCR auditors and investigators. Ultimately, covered entities and business associates share responsibility and the duties in protecting data, responding to an incident, and reporting any breach that occurs must be specified in the Business Associate Agreement established at the outset of the relationship.
If your organization is also equipped to handle credit card or electronic payments, you are holding extensive financial and persona l information along with health data. Your payment processing company may require notification of a breach as well. They may also provide assistance in the notification and remediation process.
Payment Data and Personal Information Breach Notification
Regardless of your industry, if your company processes credit card or electronic payments, you also must maintain extensive customer data and you have a duty to report any loss, theft, or breach of that data. If your payment systems are processed through a company like Merchant Services, they may require immediate notification – in the case of Merchant Services 72 hours! These services will also provide help notifying affected parties.
The PCI DSS – Payment Card Industry Standards are a set of rules agreed to by the major credit card companies and they are non-regulatory but rather self-policed by these companies. The requirements of PCI are part of the agreements your company makes when you are set up to take payments by credit or debit cards directly from customers. Learn more about PCI obligations here.
In the event of a breach of data, companies are expected to immediately contain the loss of data, preserve evidence and conduct appropriate investigation into the cause, source, and extent of the breach, and then notify appropriate agencies and affected individuals. This extensive guide from Visa outlines the steps to responding if your payment and personal customer data is compromised.
Shared Reporting Responsibility
Even in industries other than healthcare and commerce, any company that collects or manages PHI/ePHI (health data) or PII (personally identifiable information) of any kind, could be subject to requirements of reporting any breach of such data. If your company is contract with healthcare organizations in any capacity, you should understand how business associate regulations may apply to you and have an appropriate Business Associate Agreement established. While the covered entity holds primary responsibility, regulators are seem to cracking down on associate companies and vendors for inappropriately managing or failing to report loss of patient data.
If your company comes under scrutiny following the loss of customer/patient data, you need to be able to demonstrate diligence in protecting the data before the incident occurred and your valiant efforts to stop the data loss or understand the cause. Many organizations struggle to capture a clear picture of threats and incidents happening on the system. Documentation is an added challenge exacerbated by a lack of clear data.
A quick response and honest disclosure to those affected will go a long way to garnering favor from regulatory or industry officials – or just in the court of public opinion and brand trust. Your organization cannot effectively respond and provide adequate notification without understanding what is expected and being prepared before you face a breach. Prepare now for when, not if, trouble comes.