Key Ways to Manage the Legal Risks of a Healthcare Data Breach
Managing the legal risks of a healthcare data breach requires organizations to view risk holistically and collaborate with key stakeholders.
Source: Getty Images
- Healthcare data breaches can result in data theft, reputational and financial losses, and most importantly, patient safety risks.
But breaches also come with significant legal implications. Data shows that impacted patients’ lawyers are increasingly filing duplicative lawsuits against healthcare organizations in the days and weeks after a data breach.
Data breach lawsuits often claim negligence, alleging that the organization should have implemented stricter security controls to prevent a breach, given the prevalence of breaches in the sector.
Other lawsuits may call out noncompliance with state and federal breach notification laws, such as the HIPAA Breach Notification Rule.
Even in the absence of actual harm resulting from the data breach, organizations may choose to settle the matter outside of court to avoid lengthy legal proceedings and steep defense costs.
It is impossible to avoid legal risk altogether, and even with the most mature security posture, healthcare organizations may still be susceptible to data breaches and the lawsuits that follow.
However, by focusing on the things an organization can control and viewing risk holistically, HIPAA-covered entities and companies that maintain health data can better protect themselves while also protecting patients and reducing the potential impacts of a data breach.
Pay Attention to State, Federal Breach Notification Laws
The current patchwork of state and federal data privacy laws can make it difficult for organizations to know where they stand when it comes to notifying relevant entities and impacted individuals of a breach. There is currently no nationwide data privacy law that sets clear expectations for every entity type when it comes to data breaches.
HIPAA-covered entities do have clear obligations under the HIPAA Breach Notification Rule, which requires them to notify impacted individuals of a PHI breach within 60 days of discovery. If the breach impacted more than 500 individuals, HIPAA also requires the covered entity to notify HHS and prominent media outlets within 60 days.
Covered entities must notify HHS of a healthcare data breach of any size, though they can report breaches impacting less than 500 individuals on an annual basis. HIPAA-covered entities may face scrutiny in lawsuits if they fail to notify impacted patients of a breach within the allotted timeframe.
“Of course, HIPAA-covered entities and business associates have long appreciated the consequences of data breaches for data that constitutes PHI,” Colleen Brown, partner at Sidley, told HealthITSecurity.
“But it's not just HIPAA-covered entities and business associates that may have breach notification obligations in the event of a breach of health information.”
In September 2021, the Federal Trade Commission (FTC) issued a policy statement affirming that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule.
In addition, individual states have breach reporting requirements that differ greatly. Companies that hold health data but are not subject to HIPAA must pay extra attention to the patchwork of state and federal breach reporting requirements to ensure compliance. As the regulatory landscape continues to shift, organizations must be prepared to adapt and employ updated strategies to maintain compliance.
Document Everything
Documentation of security and privacy practices is also crucial to managing legal risks.
“Go in and do vulnerability testing, penetration testing, or broader information security assessments and have recommendations developed to further improve and enhance the information security program,” Brown said.
“But remember to document how the company has implemented those recommendations and enhanced the program or address potential vulnerabilities.”
If an organization is a HIPAA-covered entity, it should maintain clear documentation of its efforts to comply with the HIPAA Privacy and Security Rules. In litigation, having a well-documented information security program can help to provide lawyers and regulators with proof that security and privacy are top priorities for the organization in question.
“If a company does not do a good job at documenting the remediation of vulnerabilities or implementation of information security initiatives, the record is a bit incomplete and perhaps paints a worse picture of the information security program than is actually the case on the ground,” Brown reasoned.
Brown suggested that organizations work with their legal counsel to establish that record and to improve the organization’s information security risk posture
“When you focus on documenting your program, it also helps you to more methodically address those vulnerabilities,” Brown stated.
Focus on Incident Preparedness and Response
A major step toward managing cyber and legal risk must occur before a cyber incident happens. Cyber incident response and preparedness plans are crucial to ensuring that organizations can manage cyber risks before, during, and after a breach.
Having a cyber incident response plan in healthcare is required under HIPAA, but not all incident response plans are created equal. A thorough incident response plan requires open communication between legal, IT, and security teams, along with an emphasis on identifying, tracking, and containing cyber threats. Additionally, incident response plans require practice and coordination.
“Table-top your incident response plan, and ensure that you are integrating the legal and the regulatory affairs stakeholders with the technical stakeholders so that the broader picture of risk, with respect to a cybersecurity incident, is being addressed in a coordinated fashion,” Brown said.
Tabletop exercises can help organizations prepare for cyber events in a low-stress environment so that they are better prepared in the event of an actual breach.
Collaborate Across Functions
“It's very important that information security professionals within the organization have a very good working relationship with the lawyers in the organization and the compliance folks in the organization,” Brown emphasized.
“If you just focus on containment and technical remediation, you might miss some deadlines or you might not anticipate certain risks. It may be that legal needs to bring in some specialists, such as forensic specialists under privilege, to help manage the legal risk, and timing is critical there.”
Fostering relationships between all relevant stakeholders is crucial to effective risk management. Data breaches are more than just cyber risks – they are also patient safety risks, business risks, operational risks, and legal and regulatory risks. With that in mind, all key stakeholders from across the organization should have a seat at the table.
“Yes, policies, procedures, and resources, from a technical perspective, are critical to success,” Brown acknowledged. “But true success often comes down to the people working well together and really shining as a team to crisis manage.”
