The financial, legal, regulatory and reputational implications of a HIPAA data breach pose one of the most significant threats to a medical practice or healthcare provider.

Whether the breach was intentional theft of information, or accidental (such as an instance where a laptop or portable device with patient information is lost), an understanding of the legal steps a healthcare organization must take — as well as planning for what the entity should so when communicating with all affected parties — is the best preparation.

There have been more than 1,000 reported HIPAA breaches since the federal notification rules were established six years ago — representing the personal data of some 22.5 million Americans.

It is up to healthcare entities to protect their data and monitor for suspected breaches of Personal Health Information (PHI), which should include regular training and updating of patient privacy protocols.

When a breach is confirmed, the Office for Civil Rights within the U.S. Department of Health and Human Services is responsible for investigating complaints, conducting audits and ensuring compliance with all breach reporting regulations.

Determine size and scope
Upon suspicion of a PHI breach, covered entities are required by law to investigate and confirm the breach, and, if the breach affects more than 500 patients, report the incident to OCR.

Since 2013, the rules have fallen on the side of caution in that a PHI breach is considered reportable, unless the health care provider can sufficiently demonstrate a low probability.

A high probability breach will require timely notification to the OCR, with a comprehensive series of reporting and compliance measures to document the number of patients affected, efforts taken to notify patients, a description of the type of PHI that was compromised, steps individual patients should take to protect their privacy and a description of what the entity is doing to mitigate harm and protect against future breaches.

The law also requires that notice of the breach be given to the news media, which presents great potential for reputational damage if a crisis communications plan is not in place. Just one unintentional comment by someone not authorized to speak can do substantial damage to the reputation of the practice.

As soon as the breach has been identified, it is critical to retain a public relations firm with strong experience in crisis communications and reputation management; these are areas of specialty that an in-house PR department may not have.

Plan crisis communications
A comprehensive crisis communications plan will identify all of the parties that will have to be notified (patients, employees, business partners and vendors, and the news media), develop the best strategic messaging for those notifications, and anticipate and manage follow-up communications with the goal of preserving, or restoring, the practice’s reputation.

Delivering news of the PHI breach to employees in a timely and tightly focused manner is critical to avoid rapidly spreading rumors, misinformation or exaggerations. As the health care industry revolves around patient interaction, employees certainly should know some basic details of the breach as they will likely be asked by patients; but they should also have clear cut instructions on where to guide patients for more information (whether a toll-free number or a specified spokesperson) so that the primary focus of employee-patient interaction remains on health care.   

News of a breach is almost guaranteed to generate media coverage — especially if a substantial number of patients are affected. OCR requirements spell out the information that must be disclosed to the media, but it is important to develop strategic messaging in any news release or media interaction to convey that the health care practice is taking all the necessary steps to address patient concerns. 

Reporters and camera crews often look beyond prepared statements and news releases, and can make unannounced visits to the practice’s facilities. Here, it is essential that all employees — most notably those in reception and answering phones, as well as high-visibility partners in the practice – are prepared in advance not to answer questions “on the spot” and inform the reporter that the appropriate party will contact them for an official response.

A crisis communications plan will identify how follow-up questions or requests for interviews should be addressed, whether through continued issuance of statements or through a highly-trained spokesperson. An experienced public relations firm will be able to assess the upside or downside of each approach.

To handle patient questions and concerns, a toll-free number managed by a professional call center is likely the most practical manner for handling high call volumes from a large-scale breach, allowing administrative staff to remain focused on daily operations. The crisis communications plan should develop tightly scripted messaging, with Q&A prompts for operators, as well as protocols for handing the most difficult of callers. The first few days after an announced breach will see the highest volume of patient calls — and complaints — so it is essential that the difficult issues have been anticipated and responses prepared in advance.

Those most difficult calls will typically require direct follow-up from an experienced public relations/crisis communications professional to provide a level of attention and concern beyond that of a scripted operator.

How a breach incident is managed with patients, and how the issue is portrayed in the media, will shape the reputation of the practice going forward, and the way a patient talks about the practice to others. A practice might not lose a great number of patients over a breach, but “word of mouth” can have a direct effect on referrals from those patients.  

Gauge costs and consequences
A HIPAA breach represents tremendous financial exposure to a medical practice or health care provider, beyond the heavy fines that can be levied by OCR.

From extensive forensic examinations to identify the source of the breach, to identifying and notifying all affected patients – and from upgrading IT security to securing outside legal representation and crisis communications counsel — it is not inconceivable that a PHI breach could bring a medical practice or health care provider to the brink of ruin.

On top of those costs, the failure to meet HIPAA standards could form the basis for negligence cases in states that recognize HIPAA as the minimal standard for protection of personal health care information. And the cost of reputational damage to a practice built upon the trust of its patients can be incalculable.